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Abstract. A compositional Petri net-based semantics is given to a simple language al- 
lowing pointer manipulation and parallelism. The model is then applied to give a notion 
of validity to the judgements made by concurrent separation logic that emphasizes the 
process-environment duality inherent in such rely-guarantee reasoning. Soundness of the 
rules of concurrent separation logic with respect to this definition of validity is shown. The 
independence information retained by the Petri net model is then exploited to characterize 
the independence of parallel processes enforced by the logic. This is shown to permit a 
refinement operation capable of changing the granularity of atomic actions. 



1. Introduction 

The foundational work of Hoare on parallel programming [Hoa72j identified the fact 
that attributing an interleaved semantics to parallel languages is problematic. Three areas 
of difficulty were isolated, quoted directly: 

• That of defining a 'unit of action'. 

• That of implementing the interleaving on genuinely parallel hardware. 

• That of designing programs to control the fantastic number of combinations involved in 
arbitrary interleaving. 

The significance of these problems increases with developments in hardware, such as 
multiple-core processors, that allow primitive machine actions to occur at the same time. 

As Hoare went on to explain, a feature of concurrent systems in the physical world is 
that they are often spatially separated, operating on completely different resources and not 
interacting. When this is so, the systems are independent of each other, and therefore it is 
unnecessary to consider how they interact. This perspective can be extended by regarding 
computer processes as spatially separated if they operate on different memory locations. 
The problems above are resolved if the occurrence of non-independent parallel actions is 
prohibited except in rare cases where atomicity may be assumed, as might be enforced using 
the constructs proposed in |Dij68 , lBri72| . 
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Independence models for concurrency allow semantics to be given to parallel languages 
in a way that can tackle the problems associated with an interleaved semantics. The common 
core of independence models is that they record when actions are independent, and that 
independent actions can be run in either order or even concurrently with no consequence on 
their effect. This mitigates the increase in the state space since unnecessary interleavings of 
independent actions need not be considered (see e.g. [CGMP99] for applications to model 
checking). Independence models also permit easier notions of refinement which allow the 
assumed atomicity of actions to be changed. 

It is surprising that, to our knowledge, there has been no comprehensive study of the 
semantics of programming languages inside an independence model. The first component 
of our work gives such a semantics in terms of a well-known independence model, namely 
Petri nets. Our model isolates the specification of the control flow of programs from their 
effect on the shared state. It indicates what appears to be a general method (an alternative 
to Plotkin's structural operational semantics) for giving a structural Petri net semantics to 
a variety of languages — see the Conclusion, Section [71 

The language that we consider is motivated by the emergence of concurrent separation 
logic |Q'H07| . the rules of which form a partial correctness judgement about the execution 
of pointer- manipulating concurrent programs. Reasoning about such programs has tradi- 
tionally proved difficult due to the problem of variable aliasing. For instance, Owicki and 
Gries' system for proving properties of parallel programs that do not manipulate pointers 
|QG76j essentially requires that the programs operate on disjoint collections of variables, 
thereby allowing judgements to be composed. In the presence of pointers, the same syntac- 
tic condition cannot be imposed to yield a sound logic since distinct variables may point to 
the same memory location, thereby allowing arbitrary interaction between the processes. 
To give a specific example, Owicki and Gries' system would allow a judgement of the form 

{x 1-^ A y I— > 0} X := 1 || y := 2 {x i— > 1 A y i— > 2}, 

indicating that the result of assigning 1 to the program variable x concurrently with assign- 
ing 2 to y from a state where x and y both initially hold value is a state where x holds 
value 1 and y holds value 2. The judgement is sound because the variables x and y are 
distinct. If pointers are introduced to the language, however, it is not sound to conclude 
that 

{[x] ^ A [y] ^ 0} [x] := 1 \\ [y] := 2 {[x] ^ 1 A [y] ^ 2}, 
which would indicate that assigning 1 to the location pointed to by x and 2 to the location 
pointed to by y yields a state in which x points to a location holding 1 and y points to a 
location holding 2, since x and y may both point to the same location. 

At the core of separation logic [ReyOO llOOlj . initially presented for non-concurrent 
programs, is the separating conjunction, ip*ip, which asserts that the state in which processes 
execute may be split into two parts, one part satisfying (p and the other ip. The separating 
conjunction was used by O'Hearn to adapt Owicki and Gries' system to provide a rule for 
parallel composition suitable for pointer- manipulating programs |O'II07] . 

As we shall see, the rule for parallel composition is informally understood by splitting 
the initial state into two parts, one owned by the first process and the other by the second. 
Ownership can be seen as a dynamic constraint on the interference to be assumed: parallel 
processes always own disjoint sets of locations and only ever act on locations that they own. 
As processes evolve, ownership of locations may be transferred using a system of invariants 
(an example is presented in Section |3|) . A consequence of this notion of ownership is that 
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the rules discriminate between the parallel composition of processes and their interleaved 
expansion. For example, the logic does not allow the judgement 

{£ ^ 0} [^] := 1 II [i] ■.= 1{£^ 1}, 

which informally means that the effect of two processes acting in parallel which both assign 
the value 1 to the memory location i from a state in which i holds is to yield a state 
in which i holds 1. However, if we adopt the usual rule for the nondeterministic sum of 
processes, the corresponding judgement is derivable for their interleaved expansion, 

{[i] :=!;[£] := 1) + ([£]:= 1; [£]:= 1). 

One would hope that the distinction that the logic makes between concurrent processes and 
their interleaved expansion is captured by the semantics; the Petri net model that we give 
does so directly. 

The rules of concurrent separation logic contain a good deal of subtlety, and so lacked 
a completely formal account until the pioneering proof of their soundness due to Brookes 
[BroOTj . The proof that Brookes gives is based on a form of interleaved trace semantics. The 
presence of pointers within the model alongside the possibility that ownership of locations 
is transferred means, however, that the way in which processes are separated is absolutely 
non-trivial, which motivates strongly the study of the language within an independence 
model. We therefore give a proof of soundness using our net model and then characterize 
entirely semantically the independence of concurrent processes in Theorem 15.41 

It should be emphasized that the model that we present is different from Brookes' since 
it provides an explicit account of the intuitions behind ownership presented by O'Hearn. 
It involves taking the original semantics of the process and embellishing it to capture the 
semantics of the logic. The proof technique that we employ defines validity of assertions 
in a way that captures the rely-guarantee reasoning [Jon83j emanating from ownership in 
separation logic directly, and in a way that might be applied in other situations. 

In |Rey04| , Reynolds argues that the separation of parallel processes arising from the 
logic allows store actions that were assumed to be atomic, in fact, to be implemented as 
composite actions (seen as a change in their granularity) with no effect on the validity of 
the judgement. Independence models are suited to modeling situations where actions are 
not atomic, a perspective advocated by Lamport and Pratt |Pra861 lLam86j . We introduce a 
novel form of refinement, inspired by that of |vGG89j . and show how this may be applied to 
address the issue of granularity using our characterization of the independence of processes 
arising from the logic. 

2. Terms and states 

Concurrent separation logic is a logic for programs that operate on a heap. A heap is a 
structure recording the values held by memory locations that allows the existence of pointers 
as well as providing primitives for the allocation and deallocation of memory locations. A 
heap can be seen as a finite partial function from a set of locations Loc to a set of values 
Val: 

Heap = Loc ^fjn Val 
We will use i to range over elements of Loc and v to range over elements of Val. As stated, 
a heap location can point to another location, so we require that Loc C Val. We shall say 
that a location is current (or allocated) in a heap if the heap is defined at that location. The 
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procedure of making a non-current location current is allocation, and the reverse procedure 
is called deallocation. If /i is a heap and h(i) = £' , there is no implicit assumption that h{i') 
is defined. Consequently, heaps may contain dangling pointers. 

In addition to operating on a heap, the programs that we shall consider shall make use 
of critical regions |Dij68| protected by resources. The mutual exclusion property that they 
provide is that no two parallel processes may be inside critical regions protected by the same 
resource. We will write Res for the set of resources and use r to range over its elements. 
Critical regions are straightforwardly implemented by recording, for each resource, whether 
the resource is available or unavailable. A process may enter a critical region protected 
by r only if r is available; otherwise it is blocked and may not resume execution until the 
resource becomes available. The process makes r unavailable upon entering the critical 
region and makes r available again when it leaves the critical region. The language also has 
a primitive, resource w do t od, which says that the variable w represents a resource local 
to t. 

The syntax of the language that we will consider is presented in Figure [TJ The symbol 
a is used to range over heap actions, which are actions on the heap that might change the 
values held at locations but do not affect the domain of definition of the heap. That is, 
they neither allocate nor deallocate locations. We reserve the symbol b for boolean guards, 
which are heap actions that may proceed without changing the heap if the boolean b holds. 

Provision for allocation within our language is made via the alloc(£) primitive for 
i G Loc, which makes a location current and sets i to point at this location. For symmetry, 
dealloc(^) makes the location pointed to by i non-current if £ points to a current location. 
Writing a heap as the set of values that it holds for each allocated location, the effect of 
the command alloc(^) on the heap {i i— > 0} might be to form a heap {i 1} if 

the location i' is chosen to be allocated and is assigned initial value 1. The effect of the 
command dealloc(^) on the heap {£ £',£' 1} would be to form the heap {£ £'}. 

The guarded sum a.t + a' .t' is a process that executes as t if a takes place or as t' 
if a' takes place. We refer the reader to Section [?] for a brief justification for disallowing 
non-guarded sums. 

As mentioned earlier, critical regions are provided to control concurrency: the sub- 
process t inside with r do t od can only run when no other process is inside a critical region 
protected by r. The term resource w do t od has the resource variable w bound within t, 
asserting that a resource is to be chosen that is local to t and used for w. Consequently, in 
the process 

(resource w do with w do ti od od) || (resource w do with w do t2 od od) 

the sub-processes ti and t2 may run concurrently since they must be protected by different 
resources, one local to the process on the left and the other local to the process on the right. 
To model this, we shall say that the construct resource w do t od binds the variable w 
within t, and the variable w is free in with w do t od. We write fv(t) for the free variables 
in t and say that a term closed if it contains no free resource variables; we shall restrict 
attention to such terms. We write [r/w\t for the term obtained by substituting r for free 
occurrences of the variable w within t. As standard, we will identify terms 'up to' the 
standard alpha-equivalence = induced by renaming bound occurrences of variables. The 
notation res(i) is adopted to represent the resources occurring in t. 

The semantics of the term resource wdotod will involve first picking a 'fresh' resource 
r and then running [r/w\t. It will therefore be necessary to record during the execution of 
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Terms: 



a 

alloc(^) 
dealloc(£) 

h',t2 
h II t2 

ai.ti + a2-t2 
while b do t od 
resource w do t od 
with r do t od 
with til do t od 



Free variables and resources: 

fv(a) = 

fv(alloc(^)) = 

fv(dealloc(4) = 

W{h;t2) = fv(ti)Ufv(t2) 

fv(ii IU2) = Hh)Uivih) 

fv(ai.ti +a2-i2) = fv(ti) Ufv(t2) 

fv(while 6 do t od) = fv(t) 

fv(resource w do t od) = fv(t) \ {w} 

fv(with r do t od) = fv(t) 

fv(with w do /: od) = fv(t) U {w} 

Substitution: 



heap action 
heap allocation 
heap disposal 
sequential composition 
parallel composition 
guarded sum 
iteration 

resource declaration 
critical region 
critical region (local). 

res(a) = 

res(alloc(^)) = 

res(dealloc(€)) 

res(ti;<2) = res(<i) U res(i2) 

res(ti II ^2) = rcs(ti) U rcs(t2) 

res{ai.ti;a2-t2) ~ rcs(ti) U rcs(t2) 

res(while & do t od) = rcs(t) 

rcs(resource w do t od) ~ rcs(t) 

rcs(with r do t od) = rcs(t) U {r} 

res(with w do t od) = res(<) 



[r/w] 


a 


= a 


[r/w] 


alloc(^) 


= alloc(€) 


[r/w] 


dealloc(£) 


= dealloc(^) 


[r/w] 


ti; t2 


= {[r/w]t^)-{[r/ui\t2) 


[r/w] 


tl II t2 


= {[r/w]t^)\\{[r/w]t2) 


[r/w] 


ai.ti + a2-t2 


= ai.{[r/w]ti)+a2.{\r/w]t2) 


[r/w] 


while 6 do t od 


= while do [r/w]t od 


[r/w] 


resource w' do t od 


= resource do [r/w]t od 


[r/w] 


resource w do t od 


= resource w do t od 


[r/w] 


with r' do t od 


= with r' do [r/w]t od 


[r/w] 


with w' do t od 


J with r do [r/w]t od 
1 with u)' do [r/w]t od 



ii w ^ w' 



\i w = w' 
otherwise 



Figure 1: Syntax of terms 



processes which resources are current {i.e. not fresh) as well as which current resources are 
available {i.e. not held by any process). 

The way in which we shall formally model the state in which processes execute is 
motivated by the way in which we shall give the net semantics to closed terms. We begin 
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by defining the following sets: 




Loc X Val 



{curr(^) 
Res 



{curr(r) 



I G Loc} 



r S Res}. 



A state a is defined to be a tuple 



{D,L,R, N) 



where D C D represents the values held by locations in the heap; L C L represents the 
set of current, or allocated, locations of the heap; i? C R represents the set of available 
resources; and C N represents the set of current resources. The sets D, L, R and N are 
disjoint, so no ambiguity arises from writing, for example, {i,v) G a. 

The interpretation of a state for the heap is that {i, v) € D if i holds value v and 
that curr(£) € L if £ is current. For resources, r € R ii the resource r is available and 
curr(r) € A if r is current. It is clear that only certain such tuples of subsets are sensible. 
In particular, the heap must be defined precisely on the set of current locations, and only 
current resources may be available. 

Definition 2.1 (Consistent state). The state {D, L, R, N) is consistent if we have: 

• the sets D, L, R and are all finite, 

• D is a partial function: for all i,v and v' , if {i,v) G D and {l,v') G D then v = v' , 

• L represents the domain of -D: L = {curr(£) | 3v : {^,v) € D}, and 

• all available resources are current: i? C {r | curr(r) € A}. 

It is clear to see that the L component of any given consistent state may be inferred 
from the D component. It will, however, be useful to retain this information separately for 
when the net semantics is given. We shall call Z) C D a heap when it is a finite partial 
function from locations to values, and shall write £ v for its elements rather than {£,v). 
We shall frequently make use of the following definition of the domain of a heap D: 



The definition of state that we have adopted permits a net semantics to be defined. 
Before doing so, we shall define how heap actions are to be interpreted and then give a 
transition semantics to closed terms. 

3.1. Actions. The earlier definition of state allows a very general form of heap action to 
be defined that forms a basis for both the transition and net semantics. We assume that 
we are given the semantics of primitive actions a as Afa} comprising a set of heap pairs: 



We require that whenever {Di,D2) € ^[al, it is the case that Di and D2 are (the graphs 
of) partial functions with the same domain. 

The interpretation is that a can proceed in heap D if there are {Di,D2) £ Ala} such 
that D has the same value as Di wherever Di is defined. The resulting heap is formed by 



dom(L>) =' {£ I 3v.{£ ^v) £ D}. 



3. Process models 



Ala} C Heap x Heap. 
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updating D to have the same value as D2 wherever it is defined. It is significant that this 
definition allows us to infer precisely the set of locations upon which an action depends. 
The requirement on the domains of Di and D2 ensures that actions preserve consistent 
markings (Lemma 13. 25p . 

Example 3.1 (Assignment). For any two locations i and i' , let [i] := [£'] represent the 
action that copies the value held at location i' to location i. Its semantics is as follows: 

■^m — - 1^ ^ ^/^ ^/ ^ ^/}) I g val} 

Following the informal account above of the semantics of actions, because in the semantics 
we have 

i{io^O,h ^ l},{£o 1}) G Aliio] := [h]l 

the state {4 ^OJi^ I, £2 ^ 2} is updated by [4] := [^1] to {4 ^ 1,4 ^ 1,^2 ^ 2}. □ 

Example 3.2 (Booleans). Boolean guards b are actions that wait until the boolean expres- 
sion holds and may then take place; they do not update the state. A selection of literals 
may be defined. For example: 

Ti dof 



{i{i^v}Ai^v})} 

Al[i] = = {{{£ ^v,£' ^ v}, {£ ^v,£' ^v}) \ ve Val} 

The first gives the semantics of an action that proceeds only if £ holds value v and the 
second gives the semantics of an action that proceeds only if the locations £ and £' hold the 
same value. 

Since boolean actions shall not modify the heap, they shall possess the property that: 

if {Di,D2) G Albj then Di = D2. 

This is preserved by the operations defined below. For heaps D and D', we use D ] D' to 
mean that D and D' are compatible as partial functions and D J D' otherwise, i.e. if they 
disagree on the values assigned to a common location. 

^[truel {(0,0)} 

^[falsej = 

Alb A b'i = {{{D U D'}, {D U D'}) \ D] D' and {D, D) G AM and {D' , D') G Alb'\} 

Alb\Jb'} = AMVJA\b"\ 

Al-^b\ = {{D,D) I L> is a C-minimal heap s.t. yD'.{D',D') G Albj : D f D'} 

By insisting on minimality in the clause for -16, we form an action that is defined at as few 
locations as possible to refute all grounds for b. □ 



3.2. Transition semantics. As an aid to understanding the net model, and in particular to 
give a model with respect to which we can prove its correspondence, a transition semantics 
for closed terms (terms such that fv(t) = 0) is given in Figure [2 A formal relationship 
between the two semantics is presented in Theorem 13.271 The transition semantics is given 

by means of labelled transition relations of the forms {t, a) {t', a') and (t, a) -—f a'. As 
usual, the first form of transition indicates that t performs an action labelled A in state a 
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to yield a resumption t' and a state a'. The second indicates that t in state a performs an 
action labehed A to terminate and yields a state a' . Labels follow the grammar 

A ::= act(-Di,Z)2) heap action 

a\\oc{l,v,£' ,v') heap allocation 

dea\\oc{£,£' ,v) heap disposal 

decl(r) resource declaration 

end(r) end of resource scope 

acq(r) resource acquisition (critical region entry) 

rel(r) resource release (critical region exit). 

In the transition semantics, we write a (B cr' for the union of the components of two states 
where they are disjoint and impose the implicit side-condition that this is defined wherever 
it is used. For example, this implicit side-condition means, in the rule (Alloc), that for 
3\\oc{i,v,i' ,v') to occur we must have curr(£') a, and hence £' was initially non-current. 
Similarly, the rule (Res) can only be applied to derive a transition labelled decl(r) if the 
resource r was not initially current. 

The syntax of terms is extended temporarily to include rel r and end r which are 
special terms used in the rules (Rel) and (End). These, respectively, are attached to the 
ends of terms protected by critical regions and the ends of terms in which a resource was 
declared. 

For conciseness, we do not give an error semantics to situations in which non-current 
locations or resources are used; instead, the process will become stuck. We show in Section 
that such situations are excluded by the logic. 



3.3. Petri nets. Petri nets, introduced by Petri in his 1962 thesis |Pet62] . are a well-known 
model for concurrent computation. It is beyond the scope of the current article to provide 
a full account of the many variants of Petri net and their associated theories; we instead 
refer the reader to |BRR87j for a good account. Roughly, a Petri net can be thought of as 
a transition system where, instead of a transition occurring from a single global state, an 
occurrence of an event is imagined to affect only the conditions in its neighbourhood. Petri 
nets allow a derived notion of independence of events; two events are independent if their 
neighbourhoods of conditions do not intersect. 

We base our semantics on the following well-known variant of Petri net (c/. the 'basic' 
nets of [CWOlj and [WN95]): 

Definition 3.3 (Petri net). A Petri net is a five-tuple, 

iB,E,'i-),i-)',Mo). 

The set B comprises the conditions of the net, the set E consists of the events of the net, 
and Mq is the subset of B of marked conditions (the initial marking). The maps 

'{-),{-)' -.E^VowiB) 

are the precondition and postcondition maps, respectively. 

Petri nets have an appealing graphical representation, with: 

• circles to represent conditions, 

• bold lines to represent events, 

• arrows from conditions to events to represent the precondition map, 
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(Act) : 

(Alloc) : 
(Dealloc) 

(Seq) : 
(Par-1) : 
(Par'-1) : 
(Sum-1) : 

(While) : 

(With) : 
(Rel) : 
(Res) : 
(End) : 



{Di,D2)eAla\ 
Di<ZD D' ^{D\Di)\JD2 

(a, {D, L, R, N)) [D', L, i?, N) 

(alloc(^), (7 e {£ ^ v}) a ® [l ^ £' ^ v' , curr(f )} 

(dealloc(^), (T (B{e^ £' , £' ^ v' , curr(f )}) a (B {£ ^ £'} 



^ {t[,<j') 
{ti \\t2.a)^{A II t2,^') 

{t, \\t2,a)^{t2,a') 

(ai,g) ^ a' 

(ai.il + Q;2.t2, 0-) ^ (^1,0'') 

(&,(t) ^ g 

(while h 6.0 t od, cr) 

(p; while b do t od, c) 



(SeqO : 
(Par-2) : 
(Par'-2) : 
(SuM-2) : 

(While') : 



{ti;t2,a) {t2,a') 

{t2,<y) ^ {t'2,<j') 
{t, \\t2,<j)^{h \\t'2,a') 

{t2,a)^a' 
(ii \\t2,cy) ^{t,,a') 

(a2, o") a' 
{ai.ti + a2.t2,(T) (^2, cr') 



{^b,(7) > a 

(while b do t od, a) > a 



(with r do t od, (7 © {r})) > (t;relr, cr) 



. , rel(r) ^ , 

(rel r, <t} > a ® |r| 



, decl(r) ,r , n ^ / \i \ 

resource w do t od, (t) > ([r/wjt; end r, cr © {r, curr(r) j) 



/ r / \ -1 \ end(r) 

(end r, cr © {r, curr(r)l) — > cr 



Figure 2: Transition semantics 

• arrows from events to conditions to represent the postcondition map, and 

• tokens (dots) inside conditions to represent the marking. 

Action within nets is defined according to a token game which defines how the marking 
of the net changes according to firing of the events. An event e can fire if ah its preconditions 
are marked and, following their un-marking, all the postconditions are not marked. That 
is, in marking M, 

(1) 'e C M 

(2) (M \ 'e) n e* = 0. 
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Such an event is said to have concession or to be enabled. The marking following the 
occurrence of e is obtained by removing the tokens from the preconditions of e and placing 

e 

a token in every postcondition of e. We write M — » M where 

M' = (M\'e) UeV 

If constraint (2) does not hold but constraint (1) does, so the preconditions are all marked 
(have a token inside) but following removal of the tokens from the preconditions there is 
a token in some postcondition, there is said to be contact in the marking and the event 
cannot fire. 

Consider the following example Petri net, with its transition system between markings 
derived according to the token game. 




The event ei is the only event with concession in the initial marking {a,g}. Its occurrence 
yields the marking obtained by un-marking its preconditions and marking its postconditions, 
namely {b,c,g}. In the marking {b,c,g}, contact prevents the occurrence of 64 since its 
postcondition g is marked following removal of the token from its precondition c. However, 
in the marking {6, c, g} both event 62 and event 63 can occur. Note that the occurrence 
of 62 in marking {b, c, g} does not affect the occurrence of 63 and vice versa since the two 
events operate on completely disjoint sets of conditions. 
For any event e E define the notation 

'e"'=''eUer 

The standard notion of independence within this form of Petri net is to say that two events 
ei and 62 are independent, written 61/62, if their neighbourhoods are disjoint. That is, 

61/62 'ei' n '62' = 0. 

It is easy to see in general that the occurrences of independent events in a marking do not 
affect each other. 

Proposition 3.4. Let 61 and 62 be events of the net N and suppose that 61/62- 

• // there exist markings M , M' and Mi of N such that M — ^ Mi and Mi — ^ M' then 

62 ei 

there exists a marking M2 such that M — » M2 and M2 — » M . 

ei 62 

• // there exist markings M , Mi and M2 of N such that M — » Mi and M — » M2 then 
there exists a marking M' such that Mi — ^ M' and M2 — -» M' . □ 
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3.4. Overview of net semantics. Before giving the formal definition of the net semantics 
of closed terms, by means of an example we shall illustrate how our semantics shall be 
defined. First, we shall draw the semantics of an action toggle(^, 0, 1) that toggles the 
value held at a location i between and 1. 



state conditions 



control conditions 




initial conditions terminal conditions initial conditions terminal conditions 

Notice that in the above net there are conditions to represent the shared state in which 
processes execute, including for example the values held at locations (we have only drawn 
conditions that are actually used by the net). There are also conditions to represent the 
control point of the process. The net pictured on the left is in its initial marking of control 
conditions and the net on the right is in its terminal marking of control conditions, indicating 
successful completion of the process following the toggle of the value; the marking of the 
net initially had the state condition ^ i-^ marked and finished with the condition ^ i— > 1 
marked. There is an event present in the net for each way that the action could take 
place: one event for toggling the value from to 1 and another event for toggling the value 
from 1 to 0. Only the first event could occur in the initial marking of the net on the left, 
and no event can occur in the marking on the right since the control conditions are not 
appropriately marked. 

The parallel composition toggle(^, 0, 1) || toggle(£, 0, 1) can be formed by taking two 
copies of the net toggle(£, 0, 1) and forcing them to operate on disjoint sets of control 
conditions. 



state conditions 



control conditions 




initial conditions terminal conditions 

An example run of this net would involve first the top event changing the value of £ from 
to 1 and then the bottom event changing I back from 1 to 0. The resulting marking of 
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control conditions would be equal to the terminal conditions of the net, so no event would 
have concession in this marking. 

The net representing the sequential composition 

(toggle(AO,l) II toggle(^,0,l));(toggle(£,0,l) || toggle(£, 0, 1)) 

is formed by a 'gluing' operation that joins the terminal conditions of one copy of the net 
for toggle(£, 0, 1) to the initial conditions of another copy of the net for toggle(£, 0, 1). (In 
this example net, for clarity we shall not show the state conditions.) 

"gluing " 

















(§): 














(§): 















initial conditions terminal conditions 

3.5. Net structure. As outlined above, within the nets that we give for processes we 
distinguish two forms of condition, namely control conditions and state conditions. The 
markings of these sets of conditions determine the control point of the process and the state 
in which it is executing, respectively. When we give the net semantics, we will make use of 
the closure of the set of control conditions under various operations. 

Definition 3.5 (Conditions). Define the set of control conditions C, ranged over by c, to 
be the least set such that: 

• C contains distinguished elements i and t, standing for 'initial' and 'terminal', respectively. 

• If c G C then r:c G C for all r G Res and i:c G C for all i G {1, 2}, to distinguish processes 
working on different resources or arising from different subterms. 

• If c,c' G C then (c, c') G C to allow the 'gluing' operation above. 
Define the set of state conditions S to be D U L U R U N. 

A state (J = {D, L, R, N) corresponds to the marking DULURUN of state conditions in 
the obvious way. Similarly, if C is a marking of control conditions and a is a state, the pair 
(C, a) corresponds to the marking C U a. We therefore use the notations interchangeably. 

The nets that we form shall be extensional in the sense that two events are equal if 
they have the same preconditions and the same postconditions. An event can therefore be 
regarded as a tuple 

e = {C,a,C',a') 

with preconditions *e =^ CUa and postconditions e' '= C'Ua'. To obtain a concise notation 
for working with events, we write °e for the pre-control conditions of e: 

= 'enC. 
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We likewise define notations e*^, °e, etc., and call these the components of e by virtue 
of the fact that it is sufficient to define an event through the definition of its components. 
The pre-state conditions of e are = °e U U ''^e U "^e, and we define similarly. 

Two markings of control conditions are of particular importance: those marked when 
the process starts executing and those marked when the process has terminated. We call 
these the initial control conditions / and terminal control conditions T, respectively. We 
shall call a net with a partition of its conditions into control and state with the subsets of 
control conditions / and T an embedded net. For an embedded net N, we write Ic(A^) for / 
and Tc(A^) for T, and we write Ev(A^) for its set of events. Observe that no initial marking 
of state conditions is specified. 

The semantics of a closed term t shall be an embedded net, written AApJ. No confusion 
arises, so we shall write Ic(t) for Ic(A/'[t]]), and Tc(t) and Ev(t) for Tc(AA[[tJ) and Ev(A/'[t|), 
respectively. The nets formed shall always have the same sets of control and state conditions; 
the difference shall arise in the events present in the nets. It would be a trivial matter to 
restrict to the conditions that are actually used. 

As we give the semantics of closed terms, we will make use of several constructions on 
nets. For example, we wish the events of parallel processes to operate on disjoint sets of 
control conditions. This is conducted using a tagging operation on events. We define l:e to 
be the event e changed so that 

°(l:e) = {l:c | c G ^e} (l:e)° = {he | c E e^} 

but otherwise unchanged in its action on state conditions. We define the notations 2:e and 
r:e where r G Res similarly. The notations are extended pointwise to sets of events: 

l:E = {l:e \ e e E}. 

Another useful operation is what we call gluing two embedded nets together. For 
example, when forming the sequential composition of processes ti;t2, we want to enable 
the events of t2 when ti has terminated. This is done by 'gluing' the two nets together 
at the terminal conditions of ti and the initial conditions of t2, having made them disjoint 
on control conditions using tagging. Wherever a terminal condition c of Tc(ti) occurs as a 
pre- or a postcondition of an event of ti, every element of the set {l:c} x (2:Ic(t2)) would 
occur in its place. Similarly, the events of t2 use the set of conditions (l:Tc(ti)) x {2:c'} 
instead of an initial condition c' of Ic(i2)- A variety of control properties that the nets we 
form possess (Lemma 13. lip , such as that all events have at least one pre-control condition, 
allows us to infer that it is impossible for an event of t2 to occur before ti has terminated, 
and thereon it is impossible for ti to resume. An example follows shortly. 

Assume a set P C C x C. Useful definitions to represent gluing are: 

PoC {(ci,C2) I ci G C and (ci,C2) G P} 

U {ci \ ci eC and ^C2.(ci,C2) G P} 

P\>C = {(ci,C2) I C2 G C and (ci,C2) G P} 
U {C2 I C2 G C and ^ci.(ci,C2) G P} 
The first definition, P < C, indicates that an occurrence of ci in C is to be replaced by 
occurrences of (ci,C2) for every C2 such that (ci,C2) occurs in P. The second definition, 
P > C, indicates that an occurrence of C2 in C is to be replaced by occurrences of {01,02) 
for every ci such that (ci, 02) occurs in P. 
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The notation is extended to events to give an event P<e in the fohowing way, recahing 
that gluing will only affect the control conditions used by an event and in particular not its 
state conditions: 



°(P<e) =' P^(°e) (P<e)^ 

s(p^e) =' {P<ef = e- 

The notation Pt>e is defined similarly, and it is also extended to sets of events in the obvious 
pointwise manner. For any marking AI = (C, fj), we will write P < M for {P < C, a) and 
similarly write P\> M for (P > C, a). 

To give an example, consider the gluings P <\C\ and P > C2 where Ci = {a, 6} and 
C2 = {c, d} are joined at P = Ci x C2. Applying P <\Ci to the left net and P > C2 to the 
right net below, this indicates how gluing is used to sequentially compose embedded nets: 



dcf 
dcf 



P<(e°) 




(a, c) 



(a, d 




flue to form 



The operations of gluing and tagging affect only the control flow of events, not their 
effect on the marking of state conditions. 

Lemma 3.6. Let N be an embedded net with control conditions C. Suppose that P C C x C. 
For any marking M of N and tag x E Res U {1,2}.- 



M- 



M' iffx:M^ x:M'. 



P<le 



• M' iff P<M^ P<M', and 

• M-^ M' iff P>M^ P> M'. 
Furthermore: 

• if l:M^ M[ then M[ = 1:M' for some M' , 

P<le 

• if P<M M[ then M[ = P < M' for some M' , and 

• ifP[>M^M^ then = P > M' for some M' . 

Proof. The first and fourth items are straightforward to prove. The remaining properties 
may be shown using the following easily-demonstrated equations, along with their counter- 
parts for t>, for any subset of control conditions C: 

(1) C = iff P<C = 0, 

(2) P<{C\C') = {P<C)\{P< C), 

(3) P <] (C U C") = (P < C) U (P < C), and 

(4) p < (c n C) = (P < C) n (P < C). □ 



3.6. Net semantics. The net semantics that we now give for closed terms is defined by 
induction on the size of terms, given in the obvious way. The reason why it is not given by 
induction on terms is that the semantics of resource w do t od is given according to the 
semantics of [r/w]t for all resources r. 
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> Heap action: Let acti^cQ'/^^^Di, D2) denote an event e with 

^e = C e° = C" °e = L>i e° = I^a 

and all other components empty, i.e. = = = = e = e'^ = 
a, we define: 

Ic(a) {i} 
Tc(a) {t} 

Ev(a) {act({i},|t|)pi,D2) I Pi,l)2) G^H}. 

Example 3.7 {J\fl[i] := 5]]). RecaU that 

Al[i] := 51 = {{{I ^ v}, {i^5}) \ v£ Val}, 

so 

Ev{[i] := 5) = {act(|i},{t})({^ ^ r;}, {£ ^ 5}) | G Val}. 
The definitions give the net Afl[i] := 5]]: 



For an action 




state conditions 



<:t({i},{t})(f '^0},{f 5}) 



(^^. control conditions 
t 



{i},{t})l. 



Ic{[i] :=5) 



Tc( 



:=5) 



> Allocation and deallocation: The command alloc(£) activates, by making current 
and assigning an arbitrary value to, a non-current location and sets £ to point at it. For 
symmetry, dealloc(£) deactivates the current location pointed to by £. 

We begin by defining two further event notations. First, alloC(c'_t7/)(£, f , u') is the 
event e such that ^^6 = and e° = C and 

^e = {i^ v} e° = {£ ^ i' ^ v'} = = {curr(/)}, 

and otherwise empty components, which changes £' from being non-current to current, 
gives it value v' and changes the value held at i from v to i'. If the condition curr(/) is 
marked before the event takes place, contact occurs, so the event has concession only if 
the location £' is not initially current. Second, dealloC(f7^(7/) is the event e such 
that = C and e*^ = C and 

Oe = {£^ £', £' ^ v'} e° = ^ /} = {curr(£' )}, 

which does the converse of allocation. The location £ is left with a dangling pointer to £'. 
The two events may be drawn as: 
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dealloC(c,c')(^>^'>^^'): 




The semantics of allocation is given by: 

Ic(alloc(£)) =' {i} 
Tc(alloc(£)) = {t} 

Ev(alloc(£)) = {alloC({i}^|t})(^,u,f,?;') e Loc and w,?;' G Val}. 

Note that there is an event present for every value that i might initially hold and every 
value that i' might be assumed to take initially. 
The semantics of disposal is given by: 

Ic(dealloc(£)) =' {i} 
Tc(dealloc(£)) =' {t} 

Ev(dealloc(£)) = {clealloc(|i|^{t})(^,^','f^') I ^' G Loc and v' e Val}. 
> Sequential composition: The sequential composition of terms involves gluing the ter- 
minal marking of the net for ti to the initial marking of the net for t2- The operation is 
therefore performed on the set 

P = l:Tc(ti) X 2:Ic(t2). 
Following the intuition above, we take 

Ic(ti;t2) = l:Ic(ti) 
Tc(ti;t2) = 2:Tc(t2) 

Ev(ti;t2) = (P^l:Ev(ii)) U (P>2:Ev(t2)). 

The formation of the sequential composition on control conditions may be drawn schemat- 
ically as: 



Ev(ti) 



Ev(t2) 



P <l l:Ev(ti) 



Ic(ti) 



Tc(ti)Ic(t2) 



Tc(t2) Ic(ti;t2) 



Pt>2:Ev(t2) 



Tc(ti;t2) 



P = l:Tc(ti) X 2:Ic(t2) 



> Parallel composition: The control flow of the parallel composition of processes is au- 
tonomous; interaction occurs only through the state. We therefore force the events of the 
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two processes to work on disjoint sets of control conditions by giving them different tags: 

Ic(ti II t2) = l:Ic(ti) U 2:Ic(t2) 
Tc(ti II ta) = l:Tc(ti) U2:Tc(t2) 
Ev{ti\\t2) = l:Ev(ti) U2:Ev(t2). 

Note that the definition of the semantics parallel composition is associative and commu- 
tative only if we regard nets up to isomorphism on the control conditions. 
\> Guarded sum: Let t be the term ai.ti + 02 •^2- The sum is formed by prefixing the 
actions onto the tagged nets representing the terms and then gluing the sets of terminal 
conditions. Let P = (l:Tc(ti)) x (2:Tc(t2)). Define: 

Ic(t) {i} 

Tc(t) = P 

Ev(t) {act(|i},i^i,(i,))(Z)i,I)2) I Pi,I?2) G^M} 

U {act(|i|,2;ic(t2))Pi,^2) I {Di,D2) £Ala2j} 
U P<] (l:Ev(ti)) U Po (2:Ev(t2)). 

The net may be pictured schematically as follows, in which we have drawn only one 
representative event for each of ai and 021 and have elided the effect of these events on 
state conditions. 



l:Ic(ti) 




2:Ic(t2) 



On a technical point, one may wonder why the syntax of the language requires that 
sums possess guards. This is seemingly curious since the category of safe Petri nets, 
which intuitively underlies a category of embedded nets, has a coproduct construction. 
However, as remarked in Section 5 of |Win87j . there are cases where the coproduct of 
nets does not coincide with the usual interpretation of nondeterministic sum. In Section 
3.3 of |Win86j . this is explained as the occurrence net unfolding (the 'behaviour') of the 
coproduct of two nets not being equal to the coproduct of their respective unfoldings. To 
repeat an example given there, letting + represent coproduct in the category of safe nets, 
we have: 




e 
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Consequently, using this coproduct as a definition of general sum, the runs of the net 
representing a + (while true do a') would consist of some finite number of executions of 
a' followed, possibly, by one of a. Quite clearly, this does not correspond to the normal 
understanding of nondeterminism presented in the transition semantics. 

The restriction of processes to only use guarded sums allows us to recover the standard 
interpretation of sums (hence allowing the standard structural operational rule for sums). 
As stated in [Win871 IWin86j . another alternative would be to ensure that no event has a 
postcondition inside the initial conditions of the net. This would necessitate a different 
semantics for while loops, possibly along the lines of |vGV87j which would unfold one 
iteration of any loop. 

Iteration: To form the net for while 6 do t od we glue the initial and the terminal 
conditions of h.t together and then add events to exit the loop when -16 holds. Let 
P = {i} X l:Tc(t). Define: 



Ic(while b do t od) 
Tc(while b do t od) 
Ev(while 6 do t od) 



dcf 



dcf 



dcf 



P 
{t} 

{act(pi.ic(t))(A, A) 
U {act(p^|t})(A,A) I 
U P>(l:Ev(t)). 

The loop can be visualized in the following way (in which we only present one event, ei,, 
for the boolean b and one event, e-,f,, for the boolean -16): 

glue 



I (A,A) G^M} 
(A,A) G^Hl} 



l:Ic(t) 



lETc(t) 



P> l:Ev(t) 



l:Ev(t) 



k; 



P > l:Ic(t) 



t> Critical regions and local resources: We introduce the following notations for resource 
events. 



decl(c,c')('^): 
(r): 



gR _ g^j^j gN _ |curr(r)} 



end 



iCC) 



{curr(r)} 



These all have "^e 



acq(c,c")('^): 
rel(c,C')('^): 
C and e*^ = 



= {r} and 
= {r} 
e"^ = {r} 

C", and the components other than those listed are 
empty. Observe that the event dec\(^c,C')i''^) '^ill avoid contact, and thus be able to occur, 
only if the resource r is initially non-current. 

First consider resource w do t od. Its initial and terminal conditions are defined as: 

Ic(resource w do t od) '= {i} 
Tc(resource w do t od) '= {t}. 
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Its events are defined as: 

Ev(resource w do t od) 

= {decl({i}_r.ic(t/))(r),end(r:Tc(t'),{t})(^) I r € Res and i' 
u|J{r:Ev(t') | r G Res and t' = [r/w]t} 
The net formed can be depicted: 

^curr(r) 



[r/w]t} 



decl (r) 







r:Ev{[r/w]t) 















end(r) 



decl(r ) 

















r ■.E,v{[res' / w]t 







end(r ) 



curr(r') 

As such, the semantics of resource variable binding is a representation of the nondeter- 
ministic choice of resource to be selected to be used for the variable. Only one resource 
shall be chosen for the variable, and it will initially have been non-current thanks to 
contact described above. Note that the semantics is invariant under a-equivalence =. 

Now consider the term with r do t od. Its semantics is, informally, to acquire the 
resource r, then to execute t, and finally to release the resource r: 

dcf 



Ic(with r do t od) 
Tc(with r do t od) 
Ev(with r do t od) 



dcf 
dcf 



{i} 
{t} 

{acq({i},,.:lc(j))(r)} Ur:Ev(t) 
U {rel(^:Tc(t),{t}) (?-)}• 



3.7. Runs of nets. A well-known property of independence models is that they support a 
form of run of the net in which independent actions are not interleaved: Given any sequence 
of events of the net between two markings, we can swap the consecutive occurrences of any 
two independent events to yield a run between the same two markings. As seen in for 
example |WN95j . this allows us to form an equivalence class of runs between the same 
markings, generating a Mazurkiewicz trace. This yields a partially ordered multiset, or 
pomset, run [Pra86j . in which the independence of event occurrences is captured through 
them being incomparable. 

Definition 3.8. A pomset path of a net iV = {B,E,'{-), (-)',Mo) is a tuple vr = {X, <, A) 
such that 

• X is a finite set; 

• < is a partial order on X; 

• X: X ^ E; and 

• for all X, x' € X, if X ^ x' and x' ^ x then X{x) I X{x'). 
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The elements of X can be thought of via A as occurrences of events. Where two occur- 
rences are unrelated through the order <, they can be thought of as occurring concurrently. 
Their independence ensures that the effect of this is defined simply as any sequential oc- 
currence of the events. 

Definition 3.9. A sequence is a path vr = (X, <, A) in which < is a total order on X. Let 
xi be the event occurrence least in X according to <; let X2 be the least event occurrence 
strictly greater than xi] and so on, all the way up to x„ which is the greatest event occurrence 
according to < for n equal to the size of X (assumed to be finite). The sequence vr can be 
written as ei, . . . , en-, where X{xi) = ei for all < z < n. Say that a sequence vr = ei, . . . , 
is from marking M to marking M' in N if there exist Mq , • • • , M„ such that in N 

M = Mo-^ Mi...^ Mn = M' . 

Note that the empty path is from marking M to marking M for any marking M. We 
shall say that a pomset path [X, <, A) is from marking M to M' if there exists any extension 
of < to a total order <' such that {X, <', A) is a sequence from M to M' . As discussed, it 
is a standard result that any other extension of < to a total order also yields a path from 
M to M'. 

In fact, when we consider concurrent separation logic, we will only need to consider 
paths that are sequences, so in the rest of this paper we shall restrict attention to them; all 
our results generalize straightforwardly to pomsets. From now on, we shall therefore use 
the terms 'sequence', 'path' and 'run' interchangeably. We have chosen to highlight pomset 
runs (for conciseness, we have not presented other forms of 'run' of a net, such as causal 
nets) simply to show that Petri nets possess a notion of run that is non-interleaved. 

Write for the path comprising no events and write e for the path with just a single 
event e. We introduce the notation vr : M — »* M' to mean that vr is a path from marking 
M to marking M', and write M — » M' if there exists a path from marking M to marking 

7ri-7r2 

M . We shall also write vri • vr2 for the composition of sequential paths; clearly, M — » M 

iff there exists M" such that M" and M" ^ M' . 

Finally, the tagging and gluing operations are extended to paths pointwise: 



x:{ei, . . 


s dcf 
■ ) ^n) — 


(x:ei), . . 


• ) (^-Cn) 


P<{eu.. 


^ dcf 
• ) 6nj — 


(P^ei), 


. . . , (P <i e„ 


P>(ei,.. 


^ dcf 
• ) Cnj — 


(P>ei), 


. . . , (P e„ 



3.8. Structural properties. Here we establish characterizations of the runs of the net 
AfftJ according to the structure of t. The reader may wish to pass over these technical, but 
important, details and go directly to Section [3.9i 

A complicating factor in characterizing the runs is that that we cannot describe a priori 
the markings reachable in the net for t from an initial state simply from the markings 
reachable from the nets representing the subterms of t (allowing for the substitution of 
resources for resource names) running from suitable initial states; this property, as one 
would expect, fails for parallel composition. However, we can establish properties about the 
control flow of programs. Since such properties are insensitive to the interaction through 
shared state of parallel processes, they may be established inductively on (the size of) terms. 

e 

For an event e and markings of control conditions C and C , we write C — »c C if the event 
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e has concession in the marking C when considering only its control conditions, and its 
occurrence would result in the marking of control conditions C: 

C^a C ^ ""eCC and {C \ °e) n e° = and C = {C \ °e) U e°. 

e 

We write a — »s f if the event e has concession on state conditions in the marking a and 
its occurrence yields the marking of state conditions a' 

Lemma 3.10. For any event e and markings C, C of control conditions and o", a' of state 

6 6 6 

conditions, {C,a) — » {C',a') iff C — »c C and a — »s o"'. □ 

Following the above notation, we shall write vr : C — C if the path vr is from the 
control marking C to C", defined in the obvious way. We shall say that a marking C" is 
control- reachable from C", written C — »^ C , if there exists a path vr such that vr : C — »(-, C. 
A particular consequence of the above lemma is that the marking (C", a') is reachable from 
(C, a) only if C' is control-reachable from C. 

We begin with some fairly straightforward properties about the initial and terminal 
markings and the sets of pre- and postconditions of each event being nonempty. The first 
and second items of the lemma below could even be seen as part of the definition of embedded 
net since nonemptiness is necessary for the constructions above to result in nets with the 
expected behaviours. With the final property, they can be used to show that no event has 
concession in the terminal marking of the net. The third property eases the definitions 
constructing A/'[t|. 

Lemma 3.11. For any closed term t and event e G Ev(t).' 

(1) Ic(t) / and Tc{t) + 0, 

(2) °e and e° 0, 

(3) Ic(t) n Tc(t) = 0, and 

(4) ^enTc(t) =0 

Proof. The proof follows a simple induction on the size of terms. □ 

The following property, that any event occurring from the initial marking of a net has a 
precondition in the set of initial conditions (and the corresponding property that any event 
into the terminal marking of the net has a postcondition inside the terminal conditions), 
follows immediately from the previous lemma. It will be used frequently; for instance, to 
show that in the net AA[[fi;t2l if ei is an event from A/'[ti]] and 62 is an event from A/'[t2l 
and 62 immediately follows ei in some sequential run, then there is a control condition that 
occurs in both the postconditions of ei and the preconditions of 62. This property is used 
in Theorem 15. 4[ 

Lemma 3.12. For any closed term t, event e and marking C of control conditions ofAfltJ: 

• // Ic(i) C then 'e n Ic(t) / 0. 

• IfC Tc(i) then e* n Tc{t) □ 

Another important technical property that the embedded nets formed possess is that 
the marking of control conditions is equal to the set of initial conditions if either only initial 
conditions are marked or if all initial conditions are marked, for any reachable marking, and 
the similar statement for the terminal conditions of the net. 

Definition 3.13. Say that an embedded net N is clear if, for any marking of control 
conditions C that is control-reachable from Ic(A^): 
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(1) if either C C Ic(t) or Ic(t) C C then C = Ic(t), and 

(2) if either C C Tc(t) or Tc(t) C C then C = Tc(t). 

This is used in the proofs characterizing the markings reachable in the net N\t\ in 
terms of the markings reachable in the nets representing t's subterms (for instance, to show 
that any run to completion of the net AA[[ii;t2l can be obtained as a run of the net A/"!*!] 
followed by a run of the net AA|{t2l since when ti in A/'[ti;t2l terminates, precisely the 
terminal control conditions of AApiJ will be marked). 

Some care is necessary since the proof that, for any closed term i, the net M\t\ is 
clear itself requires understanding of the markings reachable in the net AApJ. To resolve 
this apparent 'circularity', when proving the properties required of the net M[t\ required 
to show that the net is clear we shall assume that the nets representing the subterms of t 
are clear. We shall then prove that any net N\t\ is clear, allowing us to use elsewhere the 
properties relating runs of the net M\t\ to the runs of the nets of subterms of t. In effect, 
we will be proving clearness and the structural properties simultaneously, by induction on 
the size of terms. 

3.8.1. Sequential composition. The technique that we use to relate the runs of the net for 
a term t to the runs of the nets of its subterms is to establish a suitably strong invariant 
relating the markings arising before and after the occurrence of any event present in A/'[t|, 
and then perform an induction on the length of sequence. For instance, for sequential 
composition, we prove: 

Lemma 3.14. Let P = l:Tc(ti) x 2:Ic(t2)- Assume that Mlti^ and 7V[[t2l are clear (Defi- 
nition [3.13\) . and consider the net Af^ti; t2j . For any event e G Ev(ti;t2) and any markings 
of control conditions Ci and C2 : 

• Ic{ti;t2) =P< l:Ic(ti) and Tc(ti; ^2) =P> 2:Tc(t2). 

• P = P<l:Ci iffCi = Tc(ii), and P = P>2:C2 iff C2 = Ic(t2)- 

g 

• Suppose that C I is control-reachable from lc{ti) inAfltiJ. IfP<l:Ci — »c C A/'Jti; ^2! 

then either Ci = Tc(ti) or there exist C[ and e\ such that Ci — »c C[ in Af^tiJ and 
C' = P<l:C[ and e = P <il:ei. 

g 

• Suppose that C 2 is control-reachable from lc{t2) inj\fft2j. If P>2:C2 — »c C J\flti;t2j 

then there exist C2 and 62 such that C2 — »c C2 -^[^2! and C' = P \> 2:6*2 ^'^'^ ^ ~ 
P 2:62. 

Proof. The first item is simply a re-statement of part of the definition of AAJti; t2l and the 
second item is easy to show. The remaining parts follow an analysis of the events of the 
net. □ 

Using this result, it can be shown that any state reached in A^[ti;t2l is reached either 
as a run of AApil or as a run of A^[til| to a terminal marking followed by a run of A/'[t2l|. 

Lemma 3.15. Suppose that the nets J\f\ti\ and M\t2\ are clear. If tt ■.lc{t\;t2) — C in 
■I^\ti'-,t2\ then either: 

• there exist Ci and vri such that C = P < l:Ci and it = P < l:7ri and tti : Ic(ti) — »^ Ci in 
MM, or 

• there exist C2, vri and tt2 such that C = P > 2:C2 and tt = (P < 1:tti) ■ {P > 2:1:2) and 
TTi : Ic(ti) Tc(ti) in MM and 1x2 ■ Ic(t2) -^c C2 in MM, 
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where P = l:Tc(ii) x 2:Ic(t2). 

Proof. A straightforward induction on the length of vr using Lemma 13.141 □ 

The above lemma can be extended straightforwardly using Lemma 13.101 to obtain the 
following result involving states, using the fact that the operations of prefixing and tagging 
do not affect the action of events on state conditions: 

Lemma 3.16. Suppose that the nets Afftij and 7V[[t2l o-re clear. If tt :{lc{ti; t2) , (Tq) — »* 
(C, cj) in TVJti; then either: 

• there exist Ci and tti such that C = P < l:Ci and tt = P < livri and vri :(Ic(ti), ctq) — »* 
(Ci,a) inMltij, or 

• there exist C2, o"', tti and 112 such that C = P > 2:C2 and tt = {P < 1:tti) ■ (P > 2:1:2) o,nd 
7ri:(Ic(ti),ao)-^* (Tc(ti),(j') in A/"!*!] and TT2:{lc{t2),a') (C2,ct) in AAP2L 

where P = l:Tc(ti) x 2:lc{t2). □ 

The converse result, that runs of the nets A/'[ti]] and 7V[[t2l, with appropriate interme- 
diate states, give rise to runs of the net A/'|[ti;t2l can also be shown. 

3.8.2. Parallel composition. Runs of control within the net A/'pi |[ i2l are amenable to a 
similar (though in fact less complicated) analysis to that presented in Lemmas 13.141 and 

Lemma 3.17. Consider the net Af^ti \\ t2}. 

• lc{ti II t2) = l:Ic(ti) U 2:Ic(t2) and Tc(ti || ^2) = l:Tc(ti) U 2:Tc(t2). 

• For any markings Ci,C2 and C of control conditions and any event e G Ev(ti || ^2); i/ 
l:Ci U2:C2-^c C in 7V|[ti || t2l then either: 

— there exists ei S Ev(ti) such that e = l:ei and there exists C[ such that C = 1:C[L)2:C2 

and Ci — »c C[ in M\ti^, or 

— there exists 62 G Ev(t2) such that e = 2:e2 and there exists C'2 such that C = l:CiU2:C2 

and C2 — C'2 in Mlt2\ . 

Proof. A straightforward examination of the events of TVJti || t2l- CH 

Using the preceding lemma, the paths of the net M\t\ \\ t2\ on control conditions can 
be characterized as: 

Lemma 3.18. If tt : Ic(ti || t2) — C in Af^ti \\ t2]| then any event e imr is either equal to 
l:ei for some event ei € Ev(ti) or equal to 2:e2 for some event 62 € Ev(t2). Furthermore, 
there exist C\ and C2 such that C = l:Ci U 2:6*2 and 

VTi : Ic(ti) — »^ Ci and tt2 ■ Ic(t2) — »c C'2, 

where vri is obtained by removing events equal to 2:e2 for some 62 from tt, and tt2 is obtained 
by removing events equal to l:ei for some ei from n. 

Proof. Induction on the length of path n. □ 
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Notably there is no analogue to Lemma 13.161 involving the markings of state conditions 
for the parallel composition. 

3.8.3. Iteration. The net A/'[while b do to odj allows runs that start with an event that 
either shows that the boolean b holds or an event that shows that b fails. If b fails, the net 
enters its terminal marking an no further action occurs. If the boolean b passes, a run of 
the net AA[[tol occurs, followed by the net re-entering its initial control state. The following 
lemma captures this; it is proved by establishing an invariant in the same way as was done 
for the sequential composition, though for brevity we shall omit it. 

Lemma 3.19. Let t = while b do to od and suppose that A/'Jtol is clear. Let P = 
{i} X l:Tc{ti), and recall that P = lc{t). Assume that tt is a path such that it : lc{t) — »^ C 
in AfftJ for some C. There exists a natural number n > and a (possibly empty if n = 0) 
collection of paths vri, . . . , 7r„ and heaps Di, . . . , Dn such that, for each path -Ki: 

TTi : Ic(io)-^c Tc(to) inMltoj 
act(ic(b),Tc(fe))(A, A) : Ic(6) -^c Tc(6) in^lbj. 

Write €{ for the event act(-p;^.j(,{to))(A5 A)- Either: 

• C = lc{t) and vr = ei • (P l> livri) • . . . • e„ • (-P l> l:vr„); 

• C = P < 1:C' for some marking of control conditions C and there exists a path n' and 
heap D' such that 

TT = ei • (P > livri) • . . . e„ • (P > 1:^„) • act(p^i^i,(t„))(A, A) • (P > 1:tt') 

and 

tt' : Ic(to)-^c'^' inMltoj 
act(ic(fe),Tc{6))(A,A) : Ic(6)^cTc(6) in Mlbj; or 

• C = Tc(t) and there exists a heap D' such that 

vr = ei • (P l> liTTi) • . . . e„ • (P l> l:7r„) • act(p_Tc(t)) (A, A) 

and act(ie(^b),Tc(^b))(A, A) : Ic(6) — c Tc(6) m Ml^bj. □ 

The three possible cases for the control marking C above correspond to net being in its 
initial control state (following some number of iterations), the net being in the body of the 
loop, and the net being in its terminal control state following exit of the loop. 

3.8.4. Sums. The behaviour of the net M^ai.ti + a2-i2l can be characterized as either the 
occurrence of an event of the action ai followed by a run of ti or the occurrence of an event 
of the action 02 followed by a run of i2- Note that if C = P<l:Ci then C = Tc(Qi.ti + a2.t2) 
if, and only if, Ci = Tc(ti), and the similar property for t2. 

Lemma 3.20. Let t = ai.ti + 02. i2 md P = l:Tc(fi) x 2:Tc(f2) and suppose that the nets 
AApi] and A/'[t2l o,re clear. If tt is a path vr : Ic(t) — »* C in N\t\ for some C then: 

• C = Ic(t) and vr = (), or 

• C = P<l:Ci for some C\ and vr = act(ic(t),i:ic{ti))(^i) -Di) ■ (Po I^tti) for some vri, Di,D[ 
such that 

act(ic(ai),Tc(ai))(A, Ai) : Ic(q!i) — Tc(ai) in Aflaij 

vri : Ic(ti) — Ci in Aflti}; or 
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• C = P\>2:C2 for some C2 and vr = act(ic(t)^2:ic(t2))(^2, D'2) ■ {P>2:tt2) for some tt2, D2, D'2 
such that 

aCt(ic(a2),Tc{a2))(-^2,^2) ■ Ic(a2) -^c Tc(q2) m 7V[[a2l 
TT2 : Ic(t2)^ct^2 in MM. 

Proof. An induction following establishing an invariant in the style of Lemma 13.141 □ 

3.8.5. Resource declaration. A consequence of the following result is that any complete run 
of the net resource w do to od consists first of an event that chooses a resource r to be 
used for w, then a run of [r/w]tQ, and finally an event that records that r is no longer in 
use. 

Lemma 3.21. Suppose that the net A^[[r/t(;]tol is clear for any resource r and let t = 
resource w do to od. // in the net Afft} we have vr : Ic(t) — C then either: 

• C = Ic(t) and vr = (), or 

• there exist r G Res and C and ttq such that C = r:C' and 

vr = decl({i}_^.ic([r/t«]to))(^) ' (^^^o) 

and 

decl({i}^,,.ic([,./^]t(,)) : Ic(t)— 7-:Ic([r/7i;]to) in Mlt\ and 

vro : Ic([r/u;]io) -^c C in Nl[r/w]t4 , or 

• C = Tc(t) and there exist r € Res and vrg such that 

vr = decl({i}^^,ic([r,/ti,]to))(r) • (r:vro) • end(.^.Tc([r/«;]to),{t})('^) 

and 

decl({i}^^,lc([r/^]jo)) : lc{t)^cr:lc{[r/w]tQ) in Ml^i, 

vro: Ic([r/'u;]to)— Tc([r/'u;]to) in Ml[r /w^, and 
end(^^:Tc{[r/«;]to),{t}) : r:Tc([r/u;]to) -^c Tc(t) in J\f lt\. 

Proof. By establishing an invariant on markings between the occurrences of single events, 
as in Lemma 13.141 □ 

3.8.6. Critical regions. The net AAJwith r do to odj starts by acquiring the resource r. If 
this action cannot proceed because the resource is unavailable, no event will occur. If 
the resource is available, the process behaves as t^, and then releases the resource r if to 
terminates. 

Lemma 3.22. Let t = with r do to od and suppose that the net A/'fto] is clear. If in the 
net M\t\ we have vr : Ic(t) — »^ C then either: 

• C = Ic(t) and vr = (), 

• C = r:Co for some marking of control conditions Co and vr = acq(j(,(j) ,..jf,(jp))(r) • (r:vro) 
for some path ttq such that ttq : Ic(to) — »c Co in A/'Jto], or 

• C = Tc(t) and vr = 3CC\(ic{t),r:ic[tQ))^^) ' ('^'^o) ' ""sk^ ■Tc{to),Tc(i)) (?') for some path vro such 
that vro : Ic(to) -^c Tc(to) in TVjtoj . □ 
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3.8.7. Clearness. Now that we have estabhshed these control properties of the runs of pro- 
cesses, we can show that the clearness property of Definition 13.131 does indeed hold in the 
net A/'[t| for any term t. 

Lemma 3.23. For any closed term t, the net A/'[t| is clear. 
Proof. Following the observation that 

l:C C 1:C' iff C Q C 

P<C CP<C' iff C CC' 

P>CCP>C' iff CCC', 

the property can be proved by induction on the size of terms using the above control 
properties. □ 



3.8.8. Preservation of consistency. The final attribute that we aim towards is that any 
marking of state conditions a reachable in A/'[t| from a consistent initial marking of state 
conditions (Tq is itself consistent. The only challenge here will be showing that if r G a then 
curr(r) G a, which shall require some understanding of the nature of the critical regions 
present in our semantics; the other requirements for consistency are straightforwardly shown 
to be preserved through the occurrence of the events present in 7V[t|. 

We shall first show that any release of a resource is dependent on the prior acquisition 
of that resource: for any sequence vr and any resource there exists an injection / that 
associates any occurrence of a release event to a prior occurrence of an acquisition event of 
that resource, and between the two occurrences there are no other actions on that resource. 

Lemma 3.24. Let tt be a sequence of events, vr = (ei,...,en). For any closed term t, 
resource r and marking of control conditions C such that 7r:Ic(t) — »^ C in AA[[i||, there 
exists a partial function / : N ^ N satisfying, for all i, j € N.- 

• f is injective, 

• if there exist sets of control conditions Ci,C2 such that Ci = re\(^Ci,C2)i''^) then f{i) defined, 
and 

• /(^) defined then f{i) < i and there exist sets of control conditions Ci,C2 such that 
e/W =acq(Ci,C2)W- 

Moreover, if there exist markings of state conditions (Tq, . . . , cr„ and markings of control 

ei 

conditions Co,-- - , C„ such that (Ci_i,c7j_i) — » {Ci,ai) for all i with < i < n and 
Co = Ic(t), then there exists an f satisfying the above constraints and such that, for all 
k with i < k < f{i), there exist no C and C" such that either Ck = acq(c/ ^•//^(r) or 

Ck = rel(c",c")(^)- 

Proof. The first property is shown, using the control properties of sequences established 
above, by induction on the size of terms. The second property arises since if = acq(c. (^/^ (r) 
and Cj = acq(^Q^ Q'^{r) for i < j then there must exist k such that i < k < j and 
Ck = rel(c^ (7/|^)(r), and the symmetric property for release events. □ 



INDEPENDENCE AND CONCURRENT SEPARATION LOGIC * 



27 



We are now able to show that the nets formed preserve the consistency of the markings 
of state conditions. 

Lemma 3.25 (Preservation of consistent markings). For any closed term t, if(lc{t),ao) — »* 
(C, a) in the net A/'[t]] and the marking do of state conditions is consistent then a is con- 
sistent. 

Proof. It is straightforward to prove by induction on the size of the term t that the events 
present in that net J\f\t\ are all of one of the following forms: 

act(c,c")(^'^') alloC(c,c")(^'^''^''^') decl(c,c")(^) acq(c,c')('^) 
dealloC(c,c')(^>^'''^') end(c,c")('^) '^^\c,c'){r) 

It is readily shown that each form of event preserves the consistency of the marking of state 
conditions, apart from showing that if r € a then curr(r) G a. 

Suppose, for contradiction, that vr' is a path such that vr' :(Ic(t), do) — » (C, a) in N\t\ 
and that r ^ a but curr(r) ^ a. Assume, furthermore, and without loss of generality, 
that any other marking of state conditions a' along vr has the property that if r G a then 
curr(r) G a. It must be the case that vr' = vr • rel(£)j £i'^)(r) for some Di,D[ and vr. By 
Lemma [3. 24 ( there exist D2, D'^^tti and vr2 such that vr = vri • acq^^j^.Dj)!'') ' "^2 and no event 
in vr2 is an acq(r) or rel(r) event. Let vri :(Ic(i), (Tq) — »* (Ci, cJi). We must have r G cJi, and 
by assumption curr(r) G ai. It can be seen that we must have curr(r) G cr' and r ^ a' for 
all states a' reached along acq^^)^ £)')(r) • vr2 from (Ci,(Ji) since no end(r) event can have 
concession in such markings. Consequently, we must have curr(r) G a2 for (T2 obtained by 
following the path vr :(Ic(t), ctq) — »* (C2,(T2), and therefore curr(r) G o". □ 

The structure of processes ensures that any resource initially current remains current 
through the execution of the net. The same property working backwards from the terminal 
marking of the net also holds. 

Lemma 3.26. Let a, a' be a consistent markings of state conditions. For any markings of 
control conditions C, C : 

(1) // (Ic(t), cj) — »* (C, a') in 7V[[t] and curr(r) G a then curr(r) G a' . 

(2) If lCa)-^* (Tc(t),o-') inAfltj and cun{r) e a' then cun{r) £a. 

Proof. We shall only show (1) since (2) is similar. An induction on the size of terms using 
the control properties above gives the following: 

• If there exists a sequence vr such that vr • end(^Q-^ Q,^^{r) : lc(t) — »^ C for some Ci, C2 then 
there exists an event decl(f;/ (7/)(r) in vr for some C[,C2. 

Let vr' be a sequence vr' :(Ic(t), cr) — »* {C',a') and assume that curr(r) G a. Without loss 
of generality, suppose that {C',a') is the earliest marking along vr' from (Ic(t),cr) such 
that curr(r) a'; otherwise, we can take the initial segment of vr' with this property. 
Examination of the events given by our semantics reveals that the last event in vr' is an 
end ((7^ (72) (r) event, since otherwise curr(r) is not in the state prior to a'. Now, applying 
the result above informs that there is an event declj-c-/ (^/^(r) in vr' and this must occur 
before end(Cj Now, the event dec\(^c[,c^){''") can only occur in a marking ao of state 

conditions such that curr(r) cjo, but this contradicts our assumption that a' was the first 
marking of state conditions reachable along vr' from (Ic(t),cj) with curr(r) a'. □ 
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3.9. Correspondence of semantics. As we have progressed, the event notations intro- 
duced have corresponded to labels of the transition semantics. Write |e| for the label corre- 
sponding to event e. Before progressing to consider separation logic, we shall give a theorerrQ 
that shows how the net and transition semantics correspond. It assumes a definition of open 
map bisimulation |JNW93[ INW96j based on paths as pomsets, {N,M) ~ {N',M'), relating 
paths of net N from marking M to paths of N' from M'. The bisimulations that we form 
respect terminal markings and markings of state conditions. 

Theorem 3.27 (Correspondence). Let t be a closed term and a be a consistent state. 

• If {t,a) — > a' then there exists e such that \e\ = A and (Ic(t),cr) — » {Tc{t),a') m AApJ. 

• If {t,a) — > (i')<7') then there exists e such that \e\ = A and (Ic(t),cj) — » {C',a') in AApJ 
and {Afltj,C',a') ~ (A/'[tl, lc(0, f^')- 

c I e| 

• //(Ic(t),cj) — » {C',a') m AApJ then either there exists t' such that {t,a) — {t',cr') and 

{MltlC',a') ~ (AAp'|,Ic(t'),cT')- or {t,a) ^ a' and C = Tc(t). □ 

Write (t, o") ~ {t',a') iff there exist a label-preserving bisimulation (in the standard 
sense) between the transitions systems for t from initial state a and t' from a' . From the 
preceding result, we obtain adequacy of our semantics: 

Corollary 3.28 (Adequacy). Let t,t' be closed terms and a, a' be consistent states. If 
(A/'[tl,Ic(t),a) ~ iMlt'j,lc{t'),^') then (t, a) ~ it',a'). □ 

The converse property with respect to fails. For instance, for any a we have 

(ai II a2, cr) ~ (01.02 + 02-01, o"). 

However, the definition of open bisimulation on the nets with pomsets as paths yields 

(7V[oi II a2|,Ic(oi II 02), cr) / (A/'|[oi.02 + Q2.ai|, Ic(oi.Q2 + 02. oi), cr). 

The reason why the property fails is that the transition system does not capture the inde- 
pendence of actions. 

4. Separation logic 

As discussed in the introduction, concurrent separation logic establishes partial cor- 
rectness assertions about concurrent heap-manipulating programs; that whenever a given 
program running from a heap satisfying a heap formula if terminates, the resulting heap 
satisfies a heap formula -0. The semantics of the heap logic arises as an instance of the logic 
of Bunched Implications |OP99j . At its core are the associated notions of heap composi- 
tion and the separating conjunction. Two heaps may be composed if they are defined over 
disjoint sets of locations: 

Di ■ D2 = Di U D2 if dom(L»i) n dom(L>2) = 0- 

^The proof of this theorem is rather technical and requires a presentation of open maps on the category of 
embedded Petri nets, so we shall not present the proof here. It shall appear, with the other omitted results, 
in the first author's PhD thesis. 
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A heap satisfies the separating conjunction ipi * ip2 if it can be spht into two parts, one 
satisfying ipi and the other ip2: 

D \= (fi * ip2 iff there exist Di , D2 such that Di ■ D2 defined and 

D = Di ■ D2 and Di \= (pi and D2 \= (p2- 

The semantics of the other parts of the heap logic is of little significance when considering 
the semantics of the program logic. For completeness, however, it is defined by induction 
on the size of formute in Figure [3] where the full syntax also appears. Unlike the heap 
logic presented in |Bro07] . we do not allow arithmetic on memory locations; this is just to 
simplify the presentation, and such arithmetic could easily be added. Since we distinguish 
the types of locations and values, we use X|oc ^-s the logical variable for locations and x^^i] 
for the logical variable for values. We adopt the usual binding precedences, and * binds 
more tightly the standard logical connectives. We define the shorthand notation £ 1— > — 
for 3xvai(^ 1-^ a^vai)- We shall write \= (p ii D \= ip for all heaps D, and write ip =^ ip if 

We now present the intuition for the key judgement of concurrent separation logic, 
r h {(/j} t {V'Ij where ip and are formulae of the heap logic, and F is a environment of 
resource invariants , of the form ri : xi, • • • , r„ : associating invariants Xi with resources 
Tj. (We refer the reader to [O'H07| for a fuller introduction.) Informally, the judgement 
means: 

In any run from a heap satisfying (p and the invariants T, the process t never accesses 
locations that it does not own, and if the process t terminates then it does so in a heap 
satisfying ip and the invariants F. 

Central to this understanding is the notion of ownership, which we capture formally in 
Section 14.11 Initially the process t is considered to own that part of the heap which satisfies 
93, and accordingly to own the locations in that subheap. As t runs the locations it owns 
may change as it acquires and releases resources, and correspondingly the locations used in 
justifying their invariants. 

Ownership plays a key role in making the judgements of concurrent separation logic 
compositional: a judgement F h {ip} t {ip} should hold even if other (unknown) processes 
are to execute in the same heap. It is therefore necessary to make certain assumptions 
about the ways in which these other processes might interact with the process t. This is 
achieved through ownership, by assuming that each process owns, throughout its execution, 
a separate, though possibly changing, part of the heap; the part of the heap that each 
process owns must not be accessed by any other process; moreover a process must not 
access locations it does not own. 

The rules of concurrent separation logic are presented in Figure Hin the style of [BroOTj . 
The only significant difference between the two systems is that we omit the rules for auxiliary 
variables and for existential quantification. Both are omitted for simplicity since they are 
peripheral to the focus of our work. 

As a first example, the rule for heap actions (L-Act) would allow the judgement 

F h ^ 0} [I] := 1 ^ 1} 

since the process is initially assumed to own the location (. because the part of the heap 
that the process initially owns satisfies £ 1— > 0. The resulting part of the heap owned by the 
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Variables: x 



Location expressions: e\c 



^loc 
^loc 



Location variable 
Value variable 

Location variable 
Location, £ G Loc 



Expressions: 



Formulce: 



Semantics of closed formulae: 



D \= ifi * 

D \= empty 

D \= ipiAip2 
D \= ifiV ip2 
D \= ipi^ ip2 

D \= 3x\oc-V> 
D \= 3x^^].ip 
D \= yx\oc-(p 

D^v = v' 



iff 
iff 

iff 

iff 

iff 

iff 

iff 

iff 

iff 

iff 

iff 

iff 
always 
never 



e ::= e\oc Location expression 

I Xvai Value variable 

I V Value, V £ Val 

ip ::= eioc i— ^ Cyai heap location 

I ip * If separating conjunction 

I empty empty heap 

I ip Aif conjunction 

I ipy if disjunction 

I ip ^ If implication 

I negation 

I 3x.ip existential quantification 

I Vx.y? universal quantification 

I e = e equality 

I T true 

I _L false 

D = {e^v} 

there exist Di, D2 such that Di ■ D2 defined and 
D = Di ■ D2 and Di \= ipi and D2 \= f2 
= 

D \= fx and D \= Lp2 

1= (^1 or D 1= (/?2 
D \= f\ implies D \= f2 
not D \= if 

there exists i G Loc such that D \= \llx\a^Lp 
there exists v S Val such that D |= [t'/xvai]'/^ 
for all t G Loc: D \= {ijxxo^f 
for all V € Val: D \= [u/xvailv' 



Figure 3: Syntax and semantics of the heap logic 
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(L-Act) : 

L-Alloc) : 
L-Dealloc) : 

L-Seq) : 
L-Sum) : 

L-While) : 

L-Res) : 
L-CR) : 
L-Par) : 
L-Frame) : 
L-Consequence) 
L-Conjunction) : 
L-Disjunction) : 
L-Expansion) : 
L-Contraction) 



for &\\D^ip and {Di,D2) £ A^aj : 
dom(Di) C dom(i:') 
and 

Di<ZD implies {D\Di)\J D2 ^ ij^ 

rh{^}a{V} 

r h {£ -} alloc(£) {3x\oc{t ^ a^ioc * ■'J^ioc ^ -)} 

-)} dealloc(£) {3.T|oc(^' ^ a^ioc)} 

r h {y} h W] r h W} t2 {^} 
rhM h-M W 

r h {95} ai r h {<^} a2 {</'2} 

r h {i^} Qfi.ii + a2-t2 {V'} 

r h {^} 6 {y.'} r h {^} -6 {v-} 
r y- W'} t {^} 

r h {if} while 6 do t od {t/'} 
r,r:x h {(^} [r/wjt {-0} 



X precise 

r h {(^ * x} resource w do t od {-0 * x} \ r ^ dom(r) 



r, r : X l~ {lys} with r do t od {jp} 

rh{(^i}ti {tAi} r h {y>2} ^2 {^2} 
r h {(^1 * ^52} ii II ^2 {-01 * V'2} 

r h {(p * <^'} < {0 * (^'} 
^ =^ ^' r h {lp'} t {v-'} V'' =^ V' 

rh{y)i}t{v>i} r h {.^2} t {tAz} 

r h {(^1 A V92} i {ipi A V2} 

r h {(^1} t {tAi} r h {(^2} ^ {V'2} 

rh{v3iVV32}i{'/'lVV2} 



TX^{ip}t{^} 



rh{^}t {^} 



(res(t) C dom(r)) 



Figure 4: Rules of concurrent separation logic 
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process satisfies £ i— > 1. The judgement 

r h {empty} [i] := 2 {T} 

is not derivable however: the part of the heap initially owned by the process satisfies empty, 
and therefore the process initially does not own the location i. Assignment to I violates 
the principle that the process may only act on locations that it owns — the so-called frame 
property. 

An instance of the separating conjunction is seen in the rule for parallel composition, 
(L-Par): 

rh {(^ijti r h {yP2} ^2 {V^2} 

r I- {991 * ^p2} ti II t2 {ipl * ^2} 

Informally, the rule is sound because the part of the initial heap that is owned by the 
process ti \\ t2 can be split into two parts, one part satisfying ipi owned by ti and the other 
satisfying 932 owned by t2', as the processes execute the sub heaps that we see each as owning 
remain disjoint from each other and end up separately satisfying ipi and "02 • 

It is vital that the logic enforces the requirement that processes only act on locations 
that they own. If this requirement were not imposed, so that the judgement 

r h {empty} [i] := 2 {T} 

were derivable, then the rule for parallel composition could be applied with the other judge- 
ment above to conclude that 

{£^0* empty} [£] := 1 || [£] := 2 {£ ^ I * T}. 

This flawed assertion would imply that whenever the process [£] := 1 || [^] := 2 runs from a 
state satisfying £ 1— > 0, the resulting state has £ 1— > 1, which is obviously wrong. 

The notion of ownership is subtle since the collection of locations that a process owns 
may change as the process evolves. As seen in the rule (L- Alloc), the intuitive reading is 
that after an allocation event has taken place the process owns the newly current location. 
Similarly, deallocation of a location leads to loss of ownership. For example, it is possible 
to make the judgement 

r h {^ 1-^ — } alloc(^) {3xioc-^ a^ioc * 2;ioc > — }• 

If the new location were i' which initially held value v, this would mean that in the the 
(fragment of the) resulting heap {£ £' * i' v} , the locations £ and £' would be owned 
by the process. Consequently, an action [[£]] := which assigns to the location pointed 
to by £ resulting in the heap {£ 1— > £', £' 1-^ 0} allows the judgement 

^ -} M] ■= {3xioc.^ ^ a;ioc * 3;ioc ^ 0} 

by (L-Act) since both locations would be owned by the process. The rule (L-Seq) can 
now be applied to obtain 

Th {£^ -} alloc(£); [[£]] := {3x\oc-^ ^ x\oc * x\oc ^ 0}, 

indicating that the process has ownership of the location £' , seen in the ability to write to 
£', once it has been allocated. 

To allow the logic to make judgements beyond those applicable to the almost 'disjointly 
concurrent' programs outlined so far, further interaction is allowed through a system of 
invariants. The judgement environment T records a formula called an invariant for each 
resource in its domain, which contains all the resources occurring in the term. The intuition 



INDEPENDENCE AND CONCURRENT SEPARATION LOGIC * 



33 



is that, whenever a resource r with an invariant x is available, there is part of the heap 
unowned by any other process and protected by the resource that satisfies x- such a 
situation, we shall say that the locations used to satisfy x ^-re 'owned' by the invariant for 
r. Processes may gain ownership of these locations, and thereby the right to access them, 
by entering a critical region protected by the resource. When the process leaves the critical 
region, the invariant must be restored and the ownership of the locations used to satisfy 
the invariant is relinquished. This is reflected in the rule (L-CR). As an example, we have 
the following derivation: 



The process initially owns the location and the location I is protected by the resource 
r. We reason about the process inside the critical region running from a state with ownership 
of the locations governed by the invariant in addition to those that it owned before entering 
the critical region since no other process can be operating on them; that is, we reason about 
[t'] := [P\ with locations (. and (.' owned by the process. However, when the process leaves 
the critical region, ownership of the locations used to satisfy the invariant is lost, indicated 
by the conclusion i— > in the judgement rather than i— > * ^ i— > 0. 

An invariant is required to be a precise heap logic formula. 

Definition 4.1 (Precision). A heap logic formula x is precise if for any heap D there is at 
most one sub heap Dq C D such that Dq \= x- 

We leave discussion of the role of precision to the conclusion, though it might be seen 
to be of use since it identifies uniquely the part of the heap that is owned by the invariant if 
the resource is available. Formally, F ranges over finite partial functions from resources to 
precise heap formulae. We write dom(F) for the set of resources on which F is defined, and 
write F,F' for the union of the two partial functions, defined only if dom(F) ndom(F') = 0. 
We write r : x for the singleton environment taking resource r to X; and we allow ourselves 
to write r : x G F if F(r) = x- 

The rules allow ownership of locations to be transferred through invariants. Consider 
the invariant x defined as i-^ V i-^' 1 * ^ i— 0) . If the resource is available, the invariant 
is satisfied: it either protects the location I' , which has value 0, or it protects location 
which has value 1, as well as location H. A process can acquire ownership of ^ across a 
critical region by changing the value of i' from 1 to and may leave ownership of ^ inside 
the invariant by changing the value of i' from to 1. 

Assume, for example, that the process owns location I. The only way in which the 
invariant x can be satisfied disjointly from the locations that the process owns is for i' to 
hold value 0. That is, we have 



which is implicitly used in the instance of the rule (L-Consequence) below. Consequently, 
as the process enters a critical region protected by r, it gains ownership of location I' . If the 
process sets the value of ^' to 1, when the process leaves the critical region it must restore 
the invariant to the resource, and so relinquish ownership of both I' and £. This is seen in 
the derivation of the following judgement, in which we take F = r : x- 



(L-Act) 
(L-CR) 



r : £ h {£' -} with r do := [i] od {£' ^ 0} 
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(L-ACT) -p ^ 1^ ^ Q ^ ^, ^ Q| r^n — 1 ^ * f ^ 1} 

(L-Consequence) !^ f^-^ ^ ^ — 

' Th{£^0*x} m :=1 {empty ^xl 

Th {£^0} with r do [£'] := 1 od {empty} 
With this derivation, we can derive 

{£^2} [£] := 0; with r do [£'] := 1 {empty}. 

It is also possible to acquire ownership of locations through an invariant. Let the action 
diverge have the same semantics as that of the boolean guard false, which is an action 
that can never occur i.e. the process is stuck. We have the following derivation: 

r h {x} [£'] = {£' ^ 0} 

r h {£' ^ 0} diverge {£' ^ * £ ^ 0} 

r h {x} [£'] = 1 {f ^ 1 * ^ ^ 0} 

r h {£' ^1*£^0} [£'] := {£' ^0*£^0} 

r h {x} {[£'] = O.diverge) + ([£'] = := 0) {£ ^ * i' ^ 0} 

(L-Consequence) ^ & \i J LJ Ul 1 

r h {empty * x} {[i'] = O.diverge) + ([f ] = !.[£'] := Q) {£ ^ Q * x} 

r h {empty} with r do {[£'] = O.diverge) + {[£'] = !.[£'] := 0) od {£ ^ 0} 

The undischarged hypotheses at the top of the derivation are all proved by the rule (L-Act). 
Let to denote the process {[£'] = O.diverge) + {[£'] = !■[£'] := 0). Observe that the process 
with r do to od is considered to own no part of the initial heap. As the process enters 
the critical region, it is considered to take ownership of the part of the heap satisfying the 
invariant for r, viz x- There are two ways in which x might be satisfied: 

(1) It may be that the process gains ownership of the location £' which holds value 
0. In this case, only the guard [£'] = of to can pass, so the process must evolve 
to diverge and therefore never terminates. It is therefore trivially true that the 
remainder of the derivation, that if the process to terminates then the part of the 
heap that it owns satisfies £ * x a-nd therefore after leaving the critical region 
and losing ownership of the locations satisfying x that the process owns location £, 
is sound. 

(2) The process might have taken control of the locations £, holding value 0, and 
holding value 1. Inside the critical region, the process tg can be seen to change the 
value of £' from 1 to 0. The only way that the invariant x can then be satisfied is by 
the location £' holding 0, so ownership of £' is lost as the process leaves the critical 
region. Importantly, the process retains ownership of location £. 

Using the derivations given above, we can give an example of ownership of £, as exhibited 
by the right to write to £, being transferred (we have annotated internal assertions arising 
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from the proofs above inside the program): 



{1^2} 
[£] := 0; 



with r do 



{empty} 



[i'] 




1. 




r h 



with r do 



[f] := 1 



od; 



od 



{empty} 



{^^0} 
[i] := 1 
{^^1} 



{^^1} 



We also see that, in any terminating run of this process, it must be the case that the process 
on the left terminates strictly before the process on the right begins. 

The final remark to be made on the rules of the logic is that (L-Res) allows invariants 
to be established for newly declared resources. We reason about the closed term [r/w]t, for 
an arbitrary 'fresh' resource r; it is sufficient to consider only one such resource, as shall be 
seen in Lemma 14.251 The resource r is known not to occur in the domain of F and hence 
does not occur in the term t thanks to the following lemma, proved straightforwardly by 
induction on the judgement. 



4.1. Ownership model. We now progress to give a formal interpretation of the rules 
presented in the previous section. The key idea is that the judgement T h {y?} t {ip} 
is robust against the operation of other 'external' processes (which have themselves been 
subject to a judgement in the logic) on the state, so that the rule for parallel composition is 
valid. From the account presented earlier, external processes may act on the heap providing 
they do not access the locations 'owned' by the process t, and they may act to acquire and 
release resources providing they respect the invariants in F. External processes may also 
make non-current resources current through the instantiation of a resource variable and 
might make such resources non-current. The semantics of judgements must therefore keep a 
record of how each current location in the heap and each current resource is owned: whether 
the process might access the location, whether it forms part of an invariant protected by 
a resource, or whether external processes might act on that location, along with a similar 
record for resources. The semantics will include interference events to represent such forms 
of action by external processes. 

Capturing these requirements, we construct an interference net with respect to the 
environment F to represent the execution of suitable external processes proved against F. 
This involves creating ownership conditions tOpmci^), ^\m{^) and u;oth(^) for each location i. 
The intuition is that Lijproc(^) is marked if i is owned by the process, uj\m{i) if i is used to 
satisfy the invariant for an available open resource, and ujothi^) is marked if i is current but 
owned by another process. 

To give an example, suppose that we have the judgement 



Lemma 4.2. //F h {cp} t {tp} then res(t) C dom(F). 



□ 



Th {k^l} [k] ■=0{k^ 0}. 
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The proof can be composed with the judgement T h {£ i-^ 0} [I] := i-^ 1} to obtain 

r h {/c 1 * £ 0} [/c] := II [£] := 1 {/c * £ 1}. 

The first proof, that the assignment [k] := changes the value at k from 1 to 0, must 
take into account the possibihty that the values held at other locations may change. In 
particular, it must take into account the possibility that the value at £ (not to equal k) 
changes from to 1. We therefore reason about the net A/'|[[/e] := Oj in the presence of the 
following interference event, which changes the value held at ^ from to 1: 




act({^^0}a^'-l}) 

Notably, the above event requires that the location £ is owned by an external process, i.e. 
the condition uJoth{^) is marked. 

Since we do not know with which other judgements T \- {k ^ 1} [k] := {/c i— > 0} may 
be composed, there are interference events present in the net for all the forms of interference 
permissible according to the notion of ownership. For instance, the interference event which 
changes the value of k from to 1 

"proc(fc) (♦) 
C^i„v(fc) O 




act({fe M 0}, {k 1^ 1}) 

is present in the net. However, the judgement asserts that k is owned by the process, so 
this interference event (and indeed any other interference event that affects k) will not be 
able to occur because the condition cjproc(^) will be marked, not u;oth(^)- 

As mentioned above, we introduce interference events to mimic the action of external 
processes on resources. The notion of ownership is therefore extended in this setting to 
resources, for example so that an external process cannot be allowed to release a resource 
held by the current process. It is important to make a distinction between resources in the 
domain of the environment T (called open resources) and those that are not (called closed 
resources): Open resources have invariants associated with them, so the ownership of the 
heap is affected by events that acquire or release them, as presented earlier in this section; 
this is not the case for closed resources. Closed resources are those resources made current 
to instantiate a local resource variable. They may either be used by the process being 
considered if it declared the resource, or be used by some external process if some external 
process declared the resource. We shall introduce conditions oJprod'i')-, '^inv('^) and uJoth{T) 
for each resource r. The condition a;proc(?^) will be marked if either the resource is closed 
and was made current by the process or if the resource is open and is held by the process. 
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The condition uJimir) will be marked if r is open and available. The condition uJothif) will 
be marked if either the resource is closed and was made current by an external process or 
if the resource is both open and the external process holds it. 
The set of ownership conditions is denoted W: 

W = {tJprocW,WinvW,Woth(^) K G LOC} 

^Wproc{r),u;\n^{r),LOothir) \ r G Res}. 

We use W to range over markings of ownership conditions and introduce the notations 
and , as before, for the sets of pre-ownership conditions of e and post-ownership 
conditions of e, respectively. For a set of locations L, we define the notation 

i^proc{L) =^ {t^proc(^) | i ^ L}, 

and define uj\m{L) and uJoih(L) similarly. Only certain markings of ownership conditions are 
consistent with a state a: 

Definition 4.3 (Consistent marking). The marking of state and ownership conditions 
(cr, W) of yV[t]lr is consistent if: 

(1) cr is a consistent state in AApJ, 

(2) for each z G Loc U Res, at most one of {ujproc{z),u!\r,v{z),ujo^h{z)} is marked, 

(3) for each z € Loc U Res, the ownership condition curr(2;) is in a iff precisely one of 

{Wproc(^),Winv(2), Woth(^;)} is in W, 

(4) if r G dom(r) and r G R then uj\m{r) G R, 

(5) if r G dom(r) and r ^ R then either a;proc('') G or Woth(^) G and 

(6) if curr(r) G cr and r dom(r) then either utprocif) G or uJoth{f) ^ W. 

Requirements (2) and (3) assert that W is essentially a function from the set of cur- 
rent locations and resources to describe their ownership. Requirement (4) states that any 
available open resource is owned as an invariant: it can be accessed either by the process 
being considered or by an external process, and there is an invariant associated with r. 
Requirement (5) states that any unavailable open resource is either held by the process or 
by an external process. Requirement (6) asserts that any closed resource is owned either 
by the current process or by an external process. 

Table [T] defines a number of notations for events corresponding to the permitted inter- 
ference described. To summarize, there will be interference events to represent the following 
kinds of action by external processes: 

• act{Di, D2): Arbitrary action on the heap (excluding allocation or deallocation) owned 
by external processes. 

• a\\oc{i,v,i' ,v'): Allocation of a new location i' by an external process, storing the result 
in the location £. The location i must initially have been owned by an external process. 
Ownership of the new location £' is taken by the external process. 

• dea\\oc{£,v,i' ,v'): Disposal of the location i' pointed to by I. Both locations are initially 
owned by external processes, so a;oth(^) and u;oth(^') are preconditions to the event. 

• decl(r): Declaration of a resource r. The condition curr(r) is marked by the event, so the 
resource was not initially current. Ownership of r is taken by the external process, so 
'^oth(^) is in the postconditions of the event. 

• end(r): End of scope of a resource r, only permissible if the resource was initially declared 
by an external process and therefore Woth('^) is marked. 
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Abbreviation 
u 


Preconditions 


Postconditions 




^1 


t^oth(dom(i:)i)) 




cjoth(dom(i:)2)) 


alloc(£,w, 






{curr(£')}U 

{£ ^ v'} 


{u;oth(^),Woth(£')} 


dealloc(£,f,w') 


{curr(£')}U 


KthW,c^oth(^')} 


{£ t-^ f } 


{^othW} 


declfr) 


{} 


{} 


{curr(r), r} 


{Woth(?')} 


end(r) 


{curr(7-), 7'} 




{} 


{} 


acq(r) 


M 


{t^othC'')} 


{} 


{Woth(j')} 


rel(r) 


{} 


{'^oth(?')} 


{r} 


{Woth(f)} 


acq(r, Do) 


Do U {r} 


a;inv(dom(i:)o))U 
Wmvir)} 


Do 


Woth(dom(L»o))U 

{t^othl?")} 


7d(r, Do) 


Do 


{'^oth(7')}U 

t^oth(dom(i:)o)) 


Do U {r} 


{c^invWIU 

cJinv(dom(L»o)) 



Table 1: Interference events 



• acq(r): For a closed resource r, the external process may acquire the resource if it is not 
local to the process being considered and therefore LOotuif) is marked. 

• rel(r): For a closed resource r, the external process may release the resource if it is not 
local to the process being considered and therefore uJoth{r) is marked. 

• acq (r, Do): For an open resource r with an invariant x iii T, if Dq \= x a-nd Dq is part 
of the current heap then ownership of the locations in the domain of Dq is changed from 
being protected by the resource to being owned by the external process, i.e. un-marking 
i^inv(^) and marking uJothi^) for each location £ € dom(Z)o)- The ownership of r also 
changes, from uj\r,y{r) being marked to Woth('") being marked. 

• rel(r, Dq): The corresponding release action. 

Definition 4.4 (Interference net). The interference net for F has conditions S, the state 
conditions, and W, the ownership conditions. It has the following events: 

• act{Di, D2) for all Di and D2 forming partial functions with the same domain 

• a\\oc(£,v, i' ,v') and dea\\oc{i, £' ,v') for all locations i and i' and values v and v' 

• decl(r) and end(r) for all resources r 

• acq(r) and rel(r) for all closed resources r 

• acq(r, Dq) and rel(r, Dq) for all r € dom(F) and Dq such that Dq \= x, for x the unique 
formula such that r : x € F 

We use the symbol u to range over interference events. 
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The interference events illustrate how the ownership of locations is dynamic and how 
this constrains the possible forms of interference. The rule for parallel composition requires 
that the behaviour of the process being reasoned about itself conforms to these constraints, 
allowing its action to be seen as interference when reasoning about the other process. This 
requirement may be captured by synchronizing the events of the process with those from 
the interference net in the following way: 

• The process event act(^c,C')iD, D') synchronizes with act{D,D') 

• The process event alloC((7^c/)(£, v') synchronizes with a\\oc{£,v, i' ,v') 

• The process event dealloC((7(7/)(^, f') synchronizes with dealloc(^, ?;') 

• The process event decl(f7(7/)(r) synchronizes with decl(r) 

• The process event end((7 (7/)(r) synchronizes with end(r) 

• The process event acq(^QQ,-^{r) synchronizes with acq(r) for any closed resource r, i.e. for 
any r ^ dom(r) 

• The process event rel(c'(^/-)(r) synchronizes with rel(r) for any closed resource r 

• If r is an open resource with r : x E T, the process event acq^j^ f;/)(r) synchronizes with ev- 
ery acq(r, Dq) such that Dq \= x- Similarly, i'el(f7 (7/-)(r) synchronizes with every rel(r, Dq) 
such that Dq \= X- 

Suppose that two events synchronize, e from the process and u from the interference net. 
The event u is the event that would fire in the net for the other parallel process to simulate 
the event e; it is its dual. Let e ■ u he the event formed by taking the union of the pre- 
and postconditions of e and u, other than using ujproci^) in place of uJoth{i), and similarly 
(r) in place of uJothif)- 

*{e-u) =^ {b I 6 € *e U •« and ^z.b = Uothiz)} ^ Wproc{z) \ ^oth{z)^'u} 

{e ■ u)* =^ {b 1 6 G e* U u* and ^z.b = LOothiz)} U {cupmciz) \ uJc,th{z) ^ u'} 

Example 4.5 (Synchronization of heap actions). Define the following events: 




e = act(c,c') ^ 0}, ^ 1}) u = act{{£ ^0},{e^l}) e-u 

The event e is an event inside the process net, with pre-control conditions C and post- 
control conditions C", that changes the value of I from to 1. It synchronizes with only one 
event, u, which performs the corresponding interference action. For the event u to occur, 
the condition ti;oth(^) rnust be marked i.e. the location i must be seen as owned by an 
'external' process. The event formed by synchronizing e and u is e ■ u, which requires the 
location i to be owned by the current process for it to occur. □ 

Example 4.6 (Synchronization of critical regions). Define the following events, where the 
event e is an event inside the process net, with pre-control conditions C and post-control 
conditions C , that acquires the open resource r. 
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si — e ■ ui S2 — e ■ U2 

Recall the invariant ^' i-^ V i-^ 1 * £ i— > 0) used above. There are two heaps, Di = 
{£' 1-^ 0} and D2 = {£' l,i 0} that satisfy this formula. There are correspondingly two 
interference events ui and U2 that synchronize with e: the event ui acquires the resource r 
and transfers the ownership of i' and r to the external process from the invariant, whereas 
the event U2 acquires the resource r and transfers ownership of i, i' and r to the external 
process from the invariant. The event ui requires that the heap initially has value at i'; 
the event U2 requires that the heap initially has value 1 at i' and at i. The synchronized 
events e • ui and e • U2 are similar, transferring ownership from the invariant to the process 
being considered. □ 

The semantics of judgements made using the rules of concurrent separation logic will 
consider a net Wpjr with both interference events to represent external processes running 
and synchronized events to represent the process t. 

Definition 4.7 (Ownership net). The ownership net for t in F, denoted W[t]]r, is the 
net formed with the previous definitions of control conditions C, state conditions S and 
ownership conditions W, and events: 

• Every event u from the interference net for F, and 

• Every event e • u where e is an event of MltJ and u from the interference net such that 
e and u synchronize. 

We shall continue to use the symbol e to refer to any kind of event in ownership nets, 
but shall reserve the symbol s for those events known in particular to be synchronized 
events. 

A consequence of the precision of invariants is that at most one of the synchronized 
events corresponding to an event in AApJ may be enabled in any marking of the ownership 
net WWr- 

Lemma 4.8. For any marking a of state conditions, let (C, a, W) and (C, cr, W) he con- 
sistent markings of the net Wpjr- For any event e in N\t\ and any interference events u 
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and u' in Wltjr, if e - u has concession in (C, a, W) and e ■ u' has concession in (C", cr, W) 
then u = u' . 

Proof. Straightforwardly seen to follow from precision by an analysis of the possible forms 
of the event e. □ 

The occurrence of a synchronized event e • « in a marking (C, cr, VF) of the net W[t|r 
clearly gives rise to the occurrence of the event e in A/'[t|. The earlier results describing 
the behaviour of M\t\ in terms of the behaviour of the nets representing its subterms can 
therefore be applied to the net W[[t]r- 

Lemma 4.9. If M = (C, a, W) and M' = (C, a', W) are markings o/Wplr and M M' 
then either e is an interference event and C = C or e = ei ■ u for an event ei of JV^tJ and 

an interference event u and (C, a) — » {C',a') inMltJ. 

Proof. The events of W[t]]r are, by definition, only interference events or synchronized 
events. If e is an interference event, C = C because = and e*^ = 0. For a synchronized 
event ei • u, observe that °(ei • u) = '^ei and that (ei ■ u)*^ = ei*^, and similarly for ^ei, 
^ei, ^ei, ei^, ei^ and ei"^. The only cases where either °(ei • u) ^ °ei or (ei • 7^ ei° 
are acquisition or release of an open resource, but in these cases °ei = = ei° and 
°(ei • u) = (ei ■ m)°. The result follows as a straightforward calculation. □ 

The proof that consistent markings are preserved in the net Wjtjr is similar to that 
of Lemma 13.251 the additional requirements on the marking of ownership conditions are 
readily seen to be preserved by both interference and synchronized events. 

Lemma 4.10 (Preservation of consistent markings). For any closed term t, if in the net 
Vy[[t]r it is the case that (Ic(t), ctq, Wq) — »* (C, cj, W) and (do, Wq) is consistent then {a, W) 
is consistent. □ 

The formulation of the ownership net permits a fundamental understanding of when 
a process acts in a way that cannot be seen as any form of interference; that is, when the 
process has violated its guarantees. 

Definition 4.11 (Violating marking). Let {C,a,W) be a consistent marking of Wjtjr- We 
say that M is violating if there exists an event e of Mft} that has concession in marking 
(C, a) but there is no event u from the interference net that synchronizes with e such that 
e • u has concession in (C, a, W). 

We shall give two examples of violating markings. The first shall be an example of 
action on an unowned location, and the second shows how release of an open resource will 
cause a violation if the invariant is not restored. 

Example 4.12. Let ({i},cj, VF) be a consistent marking of W[[£] := l|r with £ 1-^ G a 
and Ldothi^) £ The event e = act({|}. |t})({^ 1— > i—>- 1}) has concession in (C, a), 

but the only interference event that can synchronize with e is u = act({£ 1— > 0}, {i 1— 1}). 
We have ti;oth(-^) G and therefore copmci'^) S ^(e • n), so the event e • u does not have 
concession in the marking (C, a, W) which is therefore violating: the process acted on the 
unowned location i' . □ 
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Example 4.13. Let r be an open resource with the invariant x = ^' > OV (£' i— > 1 i-^ 0), 
and let {C,a,W) be a consistent marking of Wp]]r,r:x with i— > 1,^' i— > 1} C o" and 
"^procl^), '^proc(^') G W. Supposc fm'ther that the event e = re\i^Ci,C2)i''^) concession in 
(C, a) in the net A/'[t|. The only two interference events in Wpjr.r : x that synchronize with 
e are 

ui = rel(r, {/ ^ 0}) 

U2 = rel(r,{/ 1,£ 0}), 

corresponding to the two ways in which x can be satisfied. The invariant is not satisfied in 
the heap component of a, so the preconditions of the two events 

'(e-ui) = C7u{/^0,cup,oc(0} 

•(e-na) = C U {£' ^ l,i ^ 0,ujp,^S'),ujp,^c{i)} 

are not contained in the marking (C, a, W), which is therefore therefore a violating marking 
because there was no part of the owned heap that satisfied the invariant yet the resource 
was released. □ 

If no violating marking is ever encountered, the behaviour of Wpjr encapsulates all 
that of AA[i]. 

Lemma 4.14. For any consistent marking {C,a,W) of the net W[tjr and any event e € 

Ev(t), if {C,a) — » {C',a') in AApJ then either {C,a,W) is violating or there exists a 
marking of ownership conditions W and an interference event u that synchronizes with e 

such that [C, a, W) ^ (C, a', W) in WMr- 

Proof. Immediate from the definition of violating marking and the fact that, for any e and 
u that synchronize and any state cr 

°(e-u) = °e (e-M)° = e° a \''{e ■ u) U {e ■ uf = a \^eU e'^ 

which is easily proved by inspection of the forms that e • u may take. □ 



4.2. Soundness and validity. The rule for parallel composition permits the view that the 
ownership of the heap is initially split between the two processes, so that what one process 
owns is seen as owned by an external process by the other. 

Definition 4.15 (Ownership split). Let be a marking of ownership conditions. Markings 
of ownership conditions Wi and 11^2 form an ownership split of W if for all z G Loc U Res: 

• ^^othiz) G iff uJoth{z) G Wi and Woth(-z) G W2, 

• LO]r,y{z) G iff uj\nv{z) G Wi and Winv(-z) G W2, and 

• ^pmc{z) G ly iff either LOprodz) G Wi and LOoth{z) G W2, 

or uJproc{z) G W2 and uJothiz) G Wi. 

If Wi and W2 form an ownership split of W, then fewer locations and resources are 
owned by the process in Wi than in W, and similarly for W2- As one would expect, a 
process can act in the same way without causing a violation if it owns more, and more 
interference can occur if the process owns less. This is the essence of the frame property 
referred to earlier. 
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Lemma 4.16. Consider markings of the net Wjtjr- Let Wi and W2 form an ownership 
split ofW. 

• For any synchronized event s = e-u, if (C, a, Wi) — » (C, cj', W[) then there exist W' and 

such that {C,a,W) ^ {C',a',W') and {C,a,W2) ^ (C,cj',W^), and furthermore 
W[ and W2 form an ownership split of W' . 

• For any interference event u, if {C, a, W) — » (C, cj', W') then there exist W[ and W2 such 

that (C, a,Wi)^ {C, a, and (C, a, W2) ^ {C, a',W^), and furthermore Wi and 
form an ownership split ofW' . 

Proof. A straightforward (but long) analysis of the possible forms of s and u. □ 

Following Brookes' lead, we are now able to prove the key lemma upon which the 
proof of soundness lies. The effect of this lemma is that the the terminal states of parallel 
processes may be determined simply by observing the terminal markings of the net of each 
parallel process running in isolation if we split the ownership of the initial state correctly. 
For convenience, the lemma is stated without intimating the particular event that takes 
place on the net transition relation. 

Lemma 4.17 (Parallel decomposition). Let M = (l:Ci U 2:C2, cr, W) he a consistent mark- 
ing of the netyV\ti \\ t2^r, o^nd let Wi and W2 form an ownership split ofW. The markings 
Ml = {Ci,a,Wi) and M2 = (6*2,0", W2) are consistent, and furthermore: 

• // the marking M is violating in W|ti || t2lr then either Mi is violating in Wpilr or M2 
is violating in W[[t2lr- 

• // neither Mi nor M2 is violating and (l:Ci U 2:C2,cr,W) — ^ (1:C( U 2:C^, a', VF') in 
yVlti II t2}r then there exist W[ and W2 forming an ownership split of W' such that 
{Ci,a,Wi)^ {C[,a\W[) in Wpijr and (C2,a,VF2)— {C'2, a' .W!^) inWMv. 

Proof. It is straightforward from Definition 14.31 to see that Mi is a consistent marking for 
both i G {1,2}. 

(1) Suppose that the marking M is violating in Wpi || t2lr- Without loss of generality, 
assume that this is because there exists an event l:ei of M\ti \\ t2\ that has concession 
in marking (l:Ci U 2:C2,cr) but there is no event interference event u such that l:ei 
synchronizes with u and (l:ei) • u has concession in M. Assume, for contradiction, that 
the marking Afi is non-violating in Wftillr- The event ei has concession in marking 
(Ci,<t) of A/'|[ti] by the first part of Lemma 13.61 so there must exist ui an interference 
event of Wpijr such that ei • ui has concession in Mi. The interference events of 
Wjtijr are precisely the interference events of W|[ti || t2lr and the tagging of control 
conditions has no effect on whether events may synchronize, so the event (l:ei) -ui is in 
yVjti II ^2!?- From Lemmas 14.161 and 13.61 the event l:ei • ui has concession in marking 
M, which is therefore not violating — a contradiction. 

(2) It is a straightforward consequence of Lemma 14.161 that the second property holds if 
the transition (l:Ci U 2:C2, cr, W) — » {'^'■C[ U 2:6*2, '^'j is induced by the occurrence 
of an interference event. Suppose instead that it is induced by a synchronized event. 

{l:e\)-u 

Without loss of generality, suppose that in W\ti \\ t2lr we have M — » M' for M' = 
(1:C7(U2:C7^, a' , W), for some event ei inM\ti\. We shah show that Mi ^ (Ci, cj', W[) 
in W[ti]r and M2 ^ (C7^,cj', W^) in >Vp2lr for some W^', such that W[ and 
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{l:ei)-u 

form an ownership split of W. Since we have M — » M' in yV|ti || t2lr, it is easy 
to see that we have (l:Ci U 2:C2,cr) ^ (1:C( U 2:C!^,a') in Aflh \\ tal and C2 = C^. 

Hence in AApi]] we have {Ci,a) — » {C[,a'). By assumption, the marking {Ci,a,Wi) 
is not a violating marking of Wjtijr, so there exists an interference event ui that 

synchronizes with ei such that {Ci,a,Wi) {C'l, a' ,W{') for some W[' in W[[ti]]r, 

so in Wfti II talr we therefore have (l:Ci U 2:C2,a,Wi) (i:C7j y 2:C2, a', W^f ). 

By Lemma 14.81 we have ui = u and therefore W^' = Wi because the occurrence of an 
event in a marking yields a unique marking. Now, by Lemma 14.161 there exist W" and 

{l:ei)-Ji 

W2 such that W[ and W2 form an ownership split of W" and (l:Ci U 2:C2, cr, 1^) — » 

{l:C[U2:C2,a',W") and (l:C7i U 2:C2, a, W2) ^ (l:Ci U 2:C2, cj', W^). The occurrence 
of an event in a marking leads to a unique marking, so VF" = W . It is easy to see that 

iCi,a,Wi) ^ {C[,a',W{) in Wpilr and that (^2,(7, W2) ^ (^2,(7, W^) in W[t2lr, 
so the proof is complete. □ 

The ownership semantics described above has been carefully defined to explicitly take 
into account the intuitions behind the rule for parallel composition, resulting in the short 
proof of the parallel decomposition lemma above. The remaining complexity in the proof 
of soundness lies in the rule for establishing an invariant associated with a resource: 

(L-Res) ■ r,r :x ^ {y^} [r/w]t {V-} / x precise 

T \- {ip * x} resource lu do t od {ip * x} \ f ^ dom(r) 

It is quite easy to see why this rule follows the intuitive semantics for judgements presented 
above: Any run of the net Wjresource w do t odjr to a terminal marking from a state with 
the heap owned by the process initially satisfying f * x can be seen, in conjunction with 
Lemma 13.211 as consisting first of an event that declares a fresh resource r current, then a 
run of yV|[[r/t(;]t]|r, followed by an event that makes r non-current. The run of W|I[r/tt;]t]r 
from a state where the part of the heap that the process owns satisfies 93 * x is simulated by 
a run of VV|[[r/t(;]t]r,r:x along which the locations satisfying x are owned by the invariant 
X in an environment where r is an open resource. In particular, the run obtained has no 
interference on the resource r or the locations that it protects and r is available in the 
terminal state of the run. Assuming the validity of the judgement F, r : x l~ {9?} [r/w]t {ip}, 
the resulting state owned by the process is therefore seen to satisfy the formula (f * x- 
Similarly, if there were a reachable marking in VV|{resource w do t odjr where the process 
accesses a location or resource that it does not own would result in there being a reachable 
marking in VV|[[r/t(;]t]r,r:x where the process accesses an unowned location or resource. 
The more formal presentation of this intuition follows. 

We shall begin by explicitly characterizing the runs of the net W|{resource w do to odJr- 
The result is again a little technical, as is the following lemma. Lemma l4.21j they are used 
in the proof of soundness of the rule (L-Res). The reader may wish to pass through this 
result and Lemma 14.211 and only take note of the following definitions of inv(r, R) and 
D \w proc, D iiv and D oth. 

Lemma 4.18. Suppose that ao and Wq form a consistent marking of state and ownership 
conditions and let t = resource w do to od. For a resource r, define the synchronized 
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events 

Sr = decl({i}^r:ic([r/t«]to))('^) • decl(r) 
4 = end(^.Tc([r/t«]to),{t})(?') • end(r) 

If in the net Wjtjr we have tt :{lc{t),ao,Wo) — »* {C,a,W) then either: 

• C = Ic(t) and ir consists only of interference events, or 

• there exist r, C", cr', VF', ttq and tti such that ttq comprises only interference events, C = 
r:C' and 

IT = TTo- Sr - (r-.TTi) 

and 

vro • Sr. : {lc{t),ao, Wq) (r:Ic([r/u;]to), a', W) in W^r and 

vri : {lc{[r/nj]to),a', W) — * (C, a, W) in Wl[r / uj]tojr , or 

• C = Tc{t) and there exist r, a' ,a" ,W' ,W" ,-KQ,7ri,7r2 such that ttq and tt2 comprise only 
interference events, 

and 

TTo-Sr-. (Ic(t), do, Wo) — * (r Mir / w]to) , a', W) in WMr, 

TTi : (Ic([rHio), a', W) — * {Tci[r/w]to), a", W") in Wl[r/w]tojr, and 

s'r-TT2: {r:Tc{[r/w]to),a",W")-^* iTc{t),a,W) m W^r. 

Proof. Readily seen to be a consequence of Lemmas 13.231 13. 211 13.101 and 14.91 □ 

It can be shown, as a consequence of the preceding lemma, that during the run of the 
net following the declaration event, the resource r chosen for w is owned by the process 
until it is made non-current at the end of the variable w's scope. 

Lemma 4.19. Let t= resource w do to od. If{r:Co,(J,W) is reachable from {lc{t),ao, Wo), 
which is a consistent marking o/WjtJr; then LVprocii") € W. □ 

We write inv(r, R) for the formula Xi* ■ ■ ■*Xn formed as the separating conjunction of 
the invariants of all the available, according to R, open resources. It is defined by induction 
on the size of the domain of T: 

inv(0,i?) =^ empty 
mv[[L,r.x),n) \^*iny{T,R), if r £ R. 

Define the notations 

D \,y proc = {i^veD \ ujp,oc{i) G W} 
D f,,,. inv =' {i^vGD \ (Jinv(^) G W} 
D oth =' {e^vGD \ uj^M G W} 

to represent the heap at locations owned by the process, invariants and other processes, 
respectively. In any state that we consider, we would expect D '\m \= inv(r,i?). A 
marking of the net VVjtJr can be converted to a marking of W[[t]r,r:x avail- 
able, regarding ownership of the locations satisfying the invariant x being owned by the 
invariant rather than by the process. 



46 



J. HAYMAN AND G. WINSKEL 



Definition 4.20. Suppose that x is a precise heap formula. Let M = (C, (D, L, R, N), W) 
be a consistent marking of WpUr such that ii r £ R then there exists (necessarily unique) 
^0 ^ D \iy proc such that Dq \= x- Define the projection of M into the net Wjtjr.nx 
be 

7:m)''='iC,{D,L,R,N),W'), 

where: 

• if r ^ i?: W = W 

• if r € -R: Let Dq Q D he such that Dq \= x- 

W = {uj,M \uj,MeW} 

U {ujothir') \uJoth{r') € W} 

U {cJinvl^) I WinvW eW OT ££ dom(L>o)} 

U {winvjr') I cJinv(r') G W or r' = r} 

U {u;proc(^) I WprocW G and £ dom(Do)} 

U {cjproc(r') I WprocCr') G and r' / r} 

It is clear that if Af is a consistent marking of W[t|r then vr? (M) is a consistent marking 
of Wpllr.rix- They key lemma representing the account above, that behaviour in the net 
where a resource is closed is simulated by the net where the resource is open, is now stated, 
though we shall not show its proof here. 

Lemma 4.21. Let r be a resource such that r ^ dom(r) and let x be a precise heap logic 
formula. Let M = {C, {D, L, R, N),W) be a consistent marking ofWltJr such that: 

• ^^proc{r) G W, 

• D inv 1= inv(r,i?), and 

• if r £ R then there exists Dq C D \iy proc such that Dq \= x- 
Then 

(1) If M is a violating marking in Wjtjr then 'Kr{M) is a violating marking in Vy[t]]r,r:x- 

(2) For any event u o/ Wjtjr that is an interference event, if M is not a violating marking 

and M-^ M' where M' = (C, {D\ L',R',N'),W') and Wproc(?') G W then: 

• ■n}{M)^ ■k}{M') inWlt\T,r:x 

- D' inv ^ inv(r,i2') 

— if r € R' then there exists Dq C D' \^yi proc such that Dq \= x- 

(3) For any synchronized event s = ei ■ u of Wftjr, if M is not a violating marking and 

M' where M' = {C , {D' , L' , R' , N'),W') and Up^odr) G W then either: 

• TTr (M) is violating in VV[[t]r,r:x' ''^ 

• there exists u' such that vr^ (M) 7r^(M') in W[[t]r,r:x o'^'^-' 

- D' \^,-, inv ^inv(r,i?0 

— if r G R' then there exists Dq C D' \y^r^ proc such that Dq \= X- D 

We shall say that a state a with an ownership marking W satisfies the formula (f and the 
invariants in T if the heap restricted to the owned locations satisfies ip and the invariants 
are met for all the available resources. The rest of the heap, seen as owned by external 
processes, is unconstrained. 

Definition 4.22. A marking (C, a, W) of >V[t|r satisfies ip inV if: 

• the marking (C, cj, W) is consistent. 
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• D \w proc \= ip, and 

• D \yv inv \= mv(r,ii), 

where a = {D,L,R,N). 

We now attach a notion of vahdity to judgements T h {(p} t {V'}- It shall assert that no 
violating marking is ever reached and that whenever the process t runs to completion from 
a state where the part of the heap that it owns satisfies then the part of the resulting 
heap that it owns satisfies tp. 

Definition 4.23 (Validity). Let t be a closed term. Define F \= {99} t {^} if, for any a 
and W such that the marking (Ic(t), cr, W) satisfies 99 in T: 

• any marking reachable in yV|{t]]r from (lc{t),a,W) is non-violating, and 

• for any a' and W , if the marking (Tc(t), a', W) is reachable in Wpjr from (Ic(t), a, W) 
then (Tc(t), a', W) satisfies in T. 

It is useful to note that the occurrence of an interference event does not affect whether a 
marking satisfies in F or whether it is violating. Consequently, when considering validity 
it is unnecessary to account for runs of the net yv[[tl|r that start or end with an interference 
event. 

Lemma 4.24. Let M he a consistent marking of W[t|r that satisfies (p inT and is non- 

violating. If u is an interference event and M — » M then M satisfies Lp in T and is 
non-violating. 

Proof. Straightforward from the definition of satisfaction of in F by considering the pos- 
sible forms oi u. □ 

In the rule (L-Res) which allows invariants to be established for resources, only one 
resource is considered for substitution for the variable. The following lemma shows that 
this is sufficient; the semantics of judgements is unaffected by the choice of resource. 

Lemma 4.25. For any resources r, r' such that r, r' dom(F) and any term t with fv(t) C 
{w} and res(t) C dom(F), 

^,r:x\= W} [r/w]t {4^} iffT,r' :x\= W} [r'/w]t {ip}. 

Proof. The net W|{[r/7i;]t]]r,r : x is clearly isomorphic to W[[[r'/?i;]t]r,r' :x through interchang- 
ing the conditions 

r ^ r' curr(r) ^ curr(r') 

The result follows from the definition of validity being insensitive to such permutations. □ 

We are now in a position where we the rules of concurrent separation logic can be 
proved sound. Only two important cases of the proof shall be presented here; full details 
will be available in the first author's PhD thesis. 

Theorem 4.26 (Soundness). For any closed term t, ifT\- {ip} t {ip} then F \= {(/j} t {'?/'}■ 

Proof. By rule induction on the judgement F h {(/?} t {V'}- Note that, due to Lemma 14.241 
we shall only consider runs of yV|t]]r that do not start or end with an interference event. 

(L-Par): Suppose that we have F h {ipi * (p2} ti \\ t2 {"01 * "02} because F h {(pi} ti {ipi} 
and F h {9^2} ^2 {V'2}- Assume that marking M = (Ic(ti || t2),cr,W) satisfies ipi * ip2 in F. 
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It can be seen from the definitions that there exist Wi and W2 forming an ownership split of 
W such that (Ic(ti), a, Wi) is a marking of Wjtijr that satisfies ipi in F and (Ic(t2), c, W2) 
satisfies f2 in F. Let marking M' = (C ,cr' ,W') be reachable from M; a simple induction 
on the length of path to M using Lemma 14.171 and Lemma 13.171 shows that there exist 
C(, C^, W{ and such that C = 1:C( U 2:C^ and W{ and form an ownership split of 
W'. Furthermore, the marking {C[,a' ,W[) is reachable from (lc{ti),a,Wi) in Wjtijr and 
(C^,cj', W^) is reachable from (Ic(t2), cJ, W2) in >V[[t2lr. 

Suppose that the marking M' is violating. Using Lemma 14.171 it follows that either 
{C[,a' ,W[) or {C2,cr' ,W2) is a violating marking. This contradicts either the induction 
hypothesis for F h {<^i} ti {ipi} or the induction hypothesis for F h {^2} ^2 {^2}i so M' 
cannot be violating. 

Now suppose that the marking M' is terminal: we have C[ = Tc(ti) and C2 = Tc(t2)- 
From the induction hypotheses, we obtain that {C[,a' ,Wl) satisfies Vi in F and that 
(C2,(t',VF2) satisfies ip2 in F. It is easy to see from the definition of ownership split that 
therefore (C, a', W') satisfies * tp2 in F. 

(L-Res): Let t = resource w do to od. Suppose that F h {(p*x} t {V'*x} because F, ro : x l~ 
{if} [ro/w]tQ {ip} for some tq dom(F). Assume that the marking M = {lc{t),a,W) 
satisfies * x in F, and let M' = (C, a', W') be reachable from M in VVpIlr- According to 
Lemma 14.181 there are three cases to consider for the marking M' . 

• The first case has M = M' (we need not consider runs starting with an interference 
event according to Lemma |4.24|) . Since Ic(t) 7^ Tc(t), all that we must show is that M 
is non- violating. Using Lemma 13.211 we can infer that the only events with concession in 
the marking (Ic(t),cr) of A/'[t| are equal to dec\(ic(^fj^r:lc{[r/w]to))i''^) some r G Res such 
that curr(r) a. The marking M is assumed to be consistent, so for each such r we 
have a;proc('') W and hence the synchronized event decl(j(,(t),r:ic([r/to]to))('') ' clecl(r) has 
concession in M. The marking M' cannot therefore be violating. 

• Secondly, there exists a resource r, markings ao, Wq, Ci and a path tti such that C = r:Ci 
and 

Sr-. {C,a,W) — (r:Ic([rHto),cTo,m)) in W^r 

^1: (Ic([rHto),<To,VFo) — * {Ci,a',W') in W[[rHMr, 

where Sr = decl(ic(t),r:ic([r/to]to))(^) ■decl(r). The marking (C, a', W) cannot be a terminal 
marking of the net VVjtJr, so all that we must show is that it is non- violating. We have 
r, curr(r) S (Tq and ci;proc('') S Wq since they are in the postconditions of Sr- A simple 
induction on the length of vr using Lemmas 14.191 and 14.211 informs that TTr{Ci,a\W') is 
reachable from vr^ (Ic([r/t(;]to), co; l^o) in W|{[r/-u;]tolr,r :x- We have curr(r) ^ a because 
the event Sr has concession in M, so r dom(F) because the marking M is consistent. 
Since res(t) C dom(F) by Lemma 14.21 we may use Lemma 14.251 in conjunction with 
the induction hypothesis to obtain F,r:x |= {^} {r/w\tQ {'0}. It is an easy calculation 
to show that ■K^{lc{[r /w\to),ao,WQ) satisfies in F,r:x, so the marking 7r?(Ci, cr', 1^') 
is non- violating. By Lemma 14.211 the marking {Ci,a\W') of W[[[r/7i;]tolr is therefore 
non- violating. According to Lemma [3.211 there are two possible ways in which the mark- 
ing [C' ,a' ^W) of Wpjr might be violating. Firstly, there might exist an event e of 
A^|[r/i(;]tol that has concession in the marking (Ci, a') but there is no interference event 
u that synchronizes with e such that e • u has concession in the marking (Ci, cr', VF'). 
We have shown, however, that this is not the case since the marking (Ci, a' , W) is non- 
violating. Alternatively, the event = end(^.xc([r/u;]fo),Tc{t))('^) niight have concession in 
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the marking {C',a') of Mft} but the event sj. = • end(r) might not have concession 
in {C , a' ,W'); that is, ujprocii") W. However, we have u;proc('') G so by applying 
Lemma 14.191 along path tti we obtain u;proc(^) S W. So the event has concession in 
the marking, which is therefore not violating. 
• The final case is where C = Tc(t) and there exist ctq, cji, Wq, Wi and a path tti such that 
s,: (Ic(t),a,Vr) — (r:Ic([rHt),cTo,W^o) in W^r 

TTi: (Ic([rHto),cTo,VFo) (Tc([rHto), c^i, ) in W[[rHtolr 

<: (r:Tc([rHto),ai,VFi) (Tc(t), a', VF') = in W^r, 

where s,. = decl(ic(j)^r:ic([r/«;]to))('") ■ decl(r). The marking M' is readily seen to be non- 
violating since no event of A/'[t| has concession if the marking of control conditions is 
Tc(t). All that remains is to show that M' satisfies '0 in T. As in the previous case, 
we have r, curr(r) G (Tq and ujproc{r) € Wq and r dom(r). It is easily seen that the 
marking TTr{lc{[r/w]to),ao,Wo) of Wl[r / wjtolr ,r x satisfies ip mT,r -.x- A simple induc- 
tion on the length of the path vr using Lemmas 14.191 and 14.211 shows that the marking 
TTr{Tc{[r/w]to),ai,Wi) is reachable in >V[[r/i(j]tolr,r:x from ■Kr{lc{[r/w]tQ),aQ,Wo). Us- 
ing Lemmas 14.251 and 14 . 2 1 from the induction hypothesis F, tq : x |= W} [fo/wjtQ {ip}, the 
marking 7r^(Tc([r/tt;]to), fi, Wi) satisfies ■0 in T, r : x- We have r € 0"i since the event s'^ 
has concession in the marking (r:Tc([r/w]to), ci, Wi), so the marking (Tc([r/u;]to), ^i, TFi) 
satisfies '0 * X in T, from which it is easily seen that (Tc(t), a', W') also satisfies "0 * X in 

r. □ 

The following result connects the definition of validity to the execution of processes 
without interference or ownership. 

Corollary 4.27 (Connection). Let t be a closed term with res(t) = and let a = (D, L, 0, 0) 

be a consistent marking of state conditions for which D \= ip. If % \= {93} t {ip} then 
whenever a terminal marking (Tc(t),(7') is reachable from (Ic(t),(T) inTVJt], the resulting 
heap D' satisfies iJj, where a' = (D' , L' , R' , N'). 

Proof. A consequence of soundness and Lemma 14.141 □ 



4.3. Fault. It can be seen that the rules of concurrent separation logic ensure that pro- 
cesses, running from suitable initial states, only access current locations. The syntax of 
the language ensures that processes only access current resources and that they are never 
blocked when releasing a resource through it already being available. We shall now demon- 
strate that processes avoid such 'faults', in which we shall say that an event e is control- 

e 

enabled in a marking C of control conditions if there exists a marking C such that C — »c C . 

Definition 4.28 (Fault). There is a fault in a marking M = (C, a) of the net Afft} if there 
exists a control-enabled event e in Mft} with °e = Ci and e° = C2 for some Ci,C2 such 
that either: 

(1) there exist D,D' such that e = act(f;^ -^0 and there exists i S dom(L') with 
curr(^) cr, 

(2) there exist £,v,£',v' such that e = alloC(c'j C'2)(^, u') ^^"^ curr(£) a, 

(3) there exist £,v,i',v' such that e = dealloC(c'j^(72)(^, v,£') and either curr(£) ^ o" or 
curr(£') a, 

(4) there exists r such that either e = acq^j^^ or e = i'6l(c^,c'2)(^) ^^'^ curr(r) a, or 
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(5) there exists r such that e = re\(^Ci,C2)i''') r £ a. 

This definition also appHes to markings {C,(t,W) of Wjtjr in the by ignoring the 
marking of ownership conditions W and considering synchronized events e • u. 

Theorem 4.29 (Fault avoidance). Suppose that T h {if} t {^} and that the marking 
(Ic(t), ctQ) W^o) satisfies 99 in T. If {C,a,W) is reachable from {lc{t),aQ,Wo) then there is 
not a fault in (C, a, W). 

Proof. By rule induction on the judgement T h {99} t {ip}. Q 

A corollary of this result and Lemma 14.141 is that if0 \- {(p} t then no fault is 
reachable from an initial marking of Afft} if the heap initially satisfies ip. 

5. Separation 

As mentioned in the introduction, the logic discriminates between the parallel compo- 
sition of processes and their interleaved expansion. In Brookes' trace semantics |Bro07j . 
this was accounted for by making the notion of a race primitive within the semantics: 
when forming the parallel composition of processes, if two processes concurrently write to 
the same location, a special 'race' action occurs and the trace proceeds no further. Our 
approach when defining the semantics has been different; we do not regard 
strophic' and have not embellished our semantics with special race states. Instead, we shall 
prove, using the semantics directly, that races do not occur for proved processes running 
from suitable initial states. 

Generally, a race can be said to occur when two interacting heap actions occur concur- 
rently. Recall that a heap action is represented in the net semantics by a set of events, with 
common pre- and post-control conditions, representing each way in which the action can 
affect the heap. According to the net model, two actions may be allowed to run concurrently 
if their events do not overlap on their pre- or post-control conditions. In such a situation, 
where "^ei"^ ^e^^ = 0, we shall say that ei and 62 are control-independent. 

One way of capturing the race freedom of a process running from an initial state is to 
show that there is no reachable marking in the net where two control-independent events are 
control-enabled but access a common heap location, except interaction through allocation. 
We, however, shall prove a result based on the behaviour of processes: that whenever two 
events are control-independent and can occur, then either they are independent or they lie 
within a form of prescribed class of action. 

Definition 5.1 (Separation of synchronized events). Let M be a marking of W|t]r and 
let si = ei ■ ui and S2 = 62 ■ U2 be control-independent synchronized events of Wpjr- The 
separation property of si and S2 at M is defined as: 

(1) If M — Ml and M— ^ M2 and si and S2 are not independent then either: 

• si and S2 compete to allocate the same location: ei = alloC((7^ (7')(^, u, f') and 
62 = alloC((;2,c^)(^) ^! for some £,i' ,k,v,v' ,w'; 

• si and S2 compete to make the same resource current: ei = dec\(^Ci,C[){''') and 62 = 
d eel ((72, (70 (^) foi' some r; or 

• si and S2 compete to acquire the same resource: ei = acq^j^^ (7/)(r) and 62 = 
acq(C2,c0('^) for some r. 
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(2) If Af-^ Ml -4> M2 and si and S2 are not independent then either: 

• si deallocates a location that S2 allocates: ei = dealloC(c'j^(72)(^, Wj/ju') and e2 = 
alloC(C2 C'')(A;, ti;, i' ,w') for some ^, A;, f , v' ,w'] 

• si makes a resource non-current that S2 makes current: ei = end((-<j (7j)(r) and 62 = 
decl((72,c'^)(?') for some r; or 

• si releases a resource that S2 takes: ei = i'el(f;^ (7j)(r) and 62 = acq(c'2,c^)(^) fo'^ some 
r. 

(3) The symmetric statement for M — » M2 — » Mi. 

The first part of the property above tells us how the enabled events of parallel processes 
conflict with each other in a state: the way in which one parallel process can prevent the 
other acting in a particular way on the global state. The second part dictates how the 
event occurrences of parallel processes causally depend on each other: the way in which the 
ability of one process to affect the global state in a particular way is dependent on events 
of the other process. 

Importantly, whenever the two events si and S2 arise from heap actions, they neither 
conflict nor causally depend on each other. This is our net analogue of race freedom. 
Theorem 15.41 shows that processes proved by the logic are race free when running from 
suitable initial states. We shall make use of the following rather technical lemmas in the 
proof. 

For a synchronized event s and an interference event n, define the separation prop- 
erty for s and u at M similarly, recalling that any synchronized event is trivially control- 
independent from any interference event because = for any interference event u. It is 
always the case that a synchronized event and an interference event satisfy the separation 
property in any consistent marking. 

Lemma 5.2. If M is a consistent marking o/yV|t]]r o-n-d s is a synchronized event and u 
is an interference event then s and u satisfy the separation property in M . 

Proof. A straightforward analysis of the many cases for s and u. □ 

The following lemma relates independence from an interference event to independence 
from any corresponding synchronized event. Recall that we write ele' if e and e' are 
independent. 

Lemma 5.3. Let s be any synchronized event o/WjiJr (md u he an interference event of 
yy[t|r- Suppose that M is a consistent marking in which they both have concession. If ei 
is an event of N\t^ that synchronizes with u and slu and s is control-independent from ei 
then sl{ei ■ u). 

Proof. It is easy to see that the preconditions of ei • u are simply the preconditions of u 
along with the pre-control conditions of ei apart from replacing WothC^) with U}proc{^) and 
replacing u;oth('') with oOprodT). The postconditions of ei ■ u are similar. 

Suppose, for contradiction, that ^{sl[ei ■ u)). Since slu and s is control- independent 
from ei, it follows that there must exist z G Loc U Res such that Wproc(-z) G *s* n *(ei • u)' . 
From the definition of synchronization, we therefore have iVothiz) € *u*. The proof is 
completed by analysis of the cases for how u^proc(^) £ 's*; we shall show only one illustrative 
case, that where z is a location i such that ujproci^) € *s but WprocC^) -s*- 

In this case, the event s must either deallocate the location £ or must release a resource 
r with r S dom(r) and £ forms part of the heap used to satisfy the invariant for r. As the 
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event s has concession in M, we have Wproc(^) G M. By assumption, u has concession in 
M and <jJoth(^) ^ We cannot have u;oth(^) £ since a;proc(^) £ so C(Joth(^) £ ^^*- 
Therefore, the event u is an interference event that either allocates the location i or acquires 
an open resource r and i is part of the heap that satisfies the invariant for r. If u is such an 
event, that acquires r, it must be the case that uj\m{£) S *u so uj\r,v{(^) G M, contradicting 
that M is a consistent marking with a;proc(^) £ Af. Consequently, u must in fact be an 
event that allocates the location £, so therefore curr(£) ^ M. We then arrive at another 
contradiction since it must then be the case that ujproc{i) ^ M because M is consistent. □ 

We may now show that the separation property does indeed hold for any two events 
■Si and S2 in Wjtjr for any term t and environment T such that T h {cp} t {ip} in any 
marking M = (C, a, W) reachable from an initial marking of t that satisfies 99 in T. The 
proof is most interesting in the case where t = ti \\ t2 and si is an event of ti and ,82 is 
an event of ^2- The case proceeds by establishing, as in Theorem I4.26|, that there exists 
an ownership split Wi and 14^2 of W for which si has concession in {Ci,a,Wi), where 
Ci is the marking of control conditions in C for ti, and there exist 62 and U2 such that 
S2 = (2:62) • U2 and U2 also has concession in the marking (Ci, a, Wi) of W[[ii|r- By Lemma 
15.21 the separation property therefore holds for si and U2 in the marking {Ci,a,Wi). It 
follows that the separation property holds for si and S2 in M since, by Lemma l5.3| if the 
events si and U2 are independent then so are si and S2- 

Theorem 5.4 (Separation). Suppose that T h {93} t {ip} and that (Ic(t), ctq, Wq) satisfies 
99 in r. For any events si and S2 in W|{t]]r OL'nd any marking {C,a,W) reachable from 
(Ic(t), a"o. Wo), the separation property holds for si and S2 at {C,a,W). 

Proof. By induction on the derivation of F h {99} t We shall show only one case: 

(L-Par): Assume that the marking (Ic(ti || t2), ctq, Wq) of W|{ii || t2}r satisfies ipi * 992 in F 
and that M = (l:Ci U 2:C2, cr, W) is reachable from this marking. There exist Wqi and W02 
forming an ownership split of Wq such that the marking (Ic(ti), o"o, Wqi) of W[[til|r satisfies 
991 in F and the marking (Ic(t2), ^Oj W02) of W|i2lr satisfies 992 in F. By assumption, 
F h {991} ti {ipi} and F h {992} t2 {V'2}i so according to Theorem 14.261 no violating marking 
is reachable from either of these markings. 

Let si and S2 be synchronized events in >V[[ti || t2lr- If si = (l:ei)-ui and S2 = (1:62) •it2 
for some 61,62 € Ev(ti) and interference events ui and U2 in >V[[ti]]r, the result follows 
routinely from the induction hypothesis, and similarly if si and S2 both arise from events 
of AA[[t2l- Suppose instead that there exist 61 € Ev(ti), 62 G Ev(t2) and interference events 
ui and U2 such that si = (l:6i) • ui and S2 = (2:62) • U2- 

Suppose first that in the net W^ti \\ t2}r we have 

{l:C[U2:C!„a',W')^ {1:C'{ U 2:C'l a" ,W"). 

A simple induction applying the parallel decomposition lemma (Lemma I4.17P along the 
path to M shows that there exist Wi and W2 that form an ownership split of W such that 

(Ci, a, Wi) iC[,a', Wi) ^ (Cl a", W[') 

in yvjtijr for some W[,Wi. By Lemma 15.21 the separation property holds for 61 • ui and 
U2 in (Ci,cj, VFi); consider how it might hold. If 61 • ui deallocates a location that U2 
allocates, then si deallocates a location that S2 allocates, so the separation property holds 
for si and 52- The argument is similar for all the other cases where 61 • ui and U2 are not 
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independent. Suppose instead that ei • uilu2- The event U2 has concession in the marking 
(Ci, cr, Wi) by virtue of the fact that the occurrence of independent events in a run can be 
interchanged (Proposition 13. 4p . Consider the marking (l:Ci U 2:C2, cr,Wi) of W[ti || t2lr; 
this is straightforwardly seen to be consistent. The event si is readily seen using Lemma 
13.61 to have concession in this marking, as does U2- The event 2:e2 is control-independent 
from l:ei, so by Lemma 15.31 we have sils2, as required. 
Now suppose that in the net W|ti j| t2}r we have 

{l:C[u2:C'2,a',W') and M ^ {1:C'I U2:C!^,a" ,W"). 

A simple induction applying the parallel decomposition lemma (Lemma I4.17P along the 
path to M shows that there exist Wi and W2 that form an ownership split of W such that 

{Ci,a, Wi) {C[,a', W[) and (Ci, a, Wi) ^ {C'l, a\ W'{) 

in W[ii]]r for some W{,W['. By Lemma l5.2( the separation property holds for ei • ui and 
U2 in {Ci,a,Wi); consider how it might hold. If ei • ui allocates a location that U2 also 
allocates, then si allocates a location that S2 allocates, so the separation property holds 
for si and S2- The argument is similar for all the other cases where ei ■ ui and U2 are not 
independent. Suppose instead that ei • uilu2- Consider the marking (l:Ci U 2:C2, cr,Wi) 
of yyjti II t2}r] this is readily seen to be consistent. The event si has concession in this 
marking as does U2- The event 2:e2 is control-independent from l:ei, so by Lemma 15.31 we 
have sils2, as required. 

The remaining cases of the proof follow relatively straightforwardly by induction. The case 
for (L-Res) requires an observation along the lines of Lemma 14.251 that, for any term t 
with fv(t) C {w} and resources r, r' ^ dom(r), if the separation property holds for any 
two synchronized events of yV|[[r/t(;]t]]r in any marking reachable from any initial marking 
satisfying if inT then it also holds for >V|[[r'/'u;]t||r. 

The proof for the rule (L-Seq) follows straightforwardly by induction using Lemma 
13.151 except in the second (and symmetric third) cases of the definition of the separation 

property, where there are reachable markings M, M', M" such that M — ^ M' — M" and 
there exist events ei G Ev(ii) and 62 G Ev(t2) and interference events mi,U2 such that 
s\ = (P<l:ei) -ui and 52 = {P\>2:e2) ■U2 for P = l:Tc(ti) x 2:Ic(t2)- In this case, it follows 
from Lemma [3 . 1 5 1 and Lemma [3. 121 that the events si and S2 are not control- independent. □ 

The result can be applied, using Lemma 14.141 and the observation that ei • uile2 ■ 
U2 implies that eile2, to obtain a similar result for the net semantics of terms without 
ownership. 

Corollary 5.5. Let t be a closed term. Suppose that h {(p} t {ip} and that ctq = 
{Dq, Lq,^,^) is a state for which Dq \= ^. If M is a marking reachable from {lc{t),ao) 
in Afft} and ei and 62 are control-independent events then: 

• // M — » Ml — » M then either ei and 62 are independent or ei releases a resource or 
a location that 62 correspondingly takes or allocates, or ei makes non-current a resource 
that 62 makes current. 

ei 62 

• If M — » Ml and M — » M2 then either ei and 62 are independent or ei and 62 compete 
either to make current the same resource, acquire the same resource or to allocate the 
same location. □ 
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5.1. Incompleteness. The separation result highlights an important form of possible in- 
teraction between concurrent processes. Observe that, although there is neither conflict 
nor causal dependence arising from heap events (and hence the processes are race-free in 
the sense of Brookes), there may be interaction through the occurrence of allocation and 
deallocation events. One may therefore give judgements for parallel processes that interact 
without using critical regions. Suppose, for example, that we have a heap 

D = {Iq^ 1,^2 ^ 2,4 ^3,h^ 4}. 

For any processes ti and t2 such that ti does not deallocate £i, if we place the process 

ti] dealloc(£o) 

in parallel with 

alloc(4); while [£2] / 4 do alloc(4) od; t2, 
the process t2 only takes place once ti has terminated, and possibly never, even if ti ter- 
minates. This arises from the fact that the loop in the second process will only exit when 
location ii is allocated by the command alloc(£2); this can only occur once dealloc(^o) 
makes ii non-current and therefore available for allocation by alloc(^2)- Denote this pro- 
cess seq(ti, ^2)- 

We can use this to show that concurrent separation logic is incomplete with respect to 
our definition of validity: Let ti be the assignment [^3] := 1 and t2 be [£3] := 2. Define the 
formula 

We have |= {6} seq(ti,t2) {^3 1— > 2 * T} since, whenever seq(ti,t2) terminates, the assign- 
ment [£3] := 2 always occurs after the assignment [£3] := 1. The separation property holds 
in any marking reachable from any heap initially satisfying 5. It can be shown that 

(D\/{6} seq(ti,t2) {4^2*T}, 

so the logic is incomplete, even for processes satisfying the separation property. 

There are also examples of incompleteness where neither process accesses a common 
heap location along any run: Let 

t[ = alloc(£3); while [£3] 7^ 4 do alloc(4) od 

t'2 = alloc(4); ([4] = 4).skip + {[h] / 4).diverge, 

for the previous definition of diverge and the obvious definition of skip, ^JskipJ = {(0, 0)}. 
Since the location £5 is always current following termination of t'^ from D, process t'2 always 
diverges. We have 

0h W seq(t;,t'2) U}. 
However, there are no 5i, 82 such that 5 is logically equivalent to 81*82 and \= {82} t'2 {^}, 
which would be necessary if it were possible to prove h {8} seq(t'i,t'2) {-L}. 
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6. Refinement 

As we remarked in the introduction, the atomicity assumed of primitive actions, also 
called their granularity, is of significance when considering parallel programs. For example, 
suppose that the concurrent program 

[i] := [f ] + 1 
II {[ly / [£]).diverge + ([£]' = [£]).skip 

runs from the heap {i i— > 0,£' i-^ 1}. Given the prior interpretations of skip and diverge, 
we might conclude that the program never terminates since the assignment [i] := [i'] + 1 
maintains the property through execution that i and I' hold different values. 

It may not, however, be reasonable to assume that the assignment is executed atomi- 
cally. For instance, the processor on which the process runs might have primitive actions 
for copying the values held in memory locations and for incrementing them, but not for 
copying and incrementing in one clock step. The process [i] := [£'] + 1 might therefore be 
compiled to execute as [i] := [£']; [i] :=[£] + !. Quite clearly, the process 

[i] ■= [f]; [i] ■= [i] + 1 

II {[£]' + ri).diverge + ([£]' = [£]).skip 

may terminate, so we failed to exhibit a proper degree of caution when asserting that it 
would fail to terminate. 

In |Rey04| , Reynolds proposes a form of trace semantics that regards the occurrence of 
uncontrolled interference between concurrent processes as 'catastrophic'. The motivation 
behind this is the race freedom property arising from concurrent separation logic |Bro04j : 
in the semantics of a proved process running from a suitable initial state, no uncontrolled 
interference may occur. Reynolds' observation is that, in this situation, judgements may be 
made that are insensitive to atomicity. 

Within our net model we can provide a form of refinement, similar to that of |vGG89j 
but suited to processes executing in a shared environment, that begins to capture these ideas. 
Importantly, the property required to apply the refinement operation may be captured 
directly in terms of independence, with no changes to our semantics. We will relate the 
nets representing processes with different levels of atomicity by regarding them as alternative 
substitutions into a context. We will then give a condition on substitutions led by Theorem 
15.41 to show that any partial correctness assertion made for one of the nets also holds for 
the other. 

The treatment of substitution requires some restrictions to be placed on the nets we 
consider. In the remainder of this section and in Appendix [Al where we present the technical 
details of this section, we require that all embedded nets satisfy the structural properties 
described in Lemma 13.111 and Definition I3.13[ 

Definition 6.1 (Context). Define a context to be a embedded net with a distinguished 
event [— ]. The event [— ] is such that *[— ]* C C and its pre- and postconditions form 
disjoint, nonempty sets. 

We may now construct the net representing the substitution of a net N for the hole in 
a context K. We shall assume that, as in the semantics for terms, the two nets are formed 
with the same sets of conditions. As the nets are extensional (we regard an event simply as 
its set of preconditions paired with its set of postconditions), all that we need to specify is 
the events of the net and its initial and terminal markings of control conditions. 
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Definition 6.2 (Substitution). Let K he a context and N an embedded net. Define the 
sets 

p. ''=1' 1 : •[-] X 2 : Ic(iV) Pt = 1 : [-]* x 2 : Tc(iV). 
The substitution i('[A^] is defined to be the embedded net with: 



Ev{K[N]) 
lc{K[N]) 
Tc{K[N]) 



dcf 



dof 



dof 



(Pi U Pt) ^ 1 
{P\ U Pt) ^ 1 



(Ev(K) \ {[-]}) U (/i u Pt) > 2 : Ev(iV) 

lc{K) 

Tc{K) 



To see the definition at work, consider the foHowing example. We elide details of the 
action of events on state conditions, which is unaffected by the substitution operation. 



Example 6.3. In the following example substitution, we depict the hole 
rectangle. 



K 

ai 



ic{K) 

e 

-a- 



Tc{K) N Tc(Ar)^ 



lc{K[N]) KIN] 



hollow 

Tc{K[N]) 



-o 



04^0' 



(l:ai,2:Ji) 
P <1 1 : ei r\ , P l> 2 : e 



l:ci 



1:C2 



P<ll:e2 




ai 2 : 22 
1 : a2 2 : zi 



P l> 2 ; 64 



(1: 02, 2 lis) 



(l:x,2: ti) 

) 
) 



(l:x,2:t2) 



Definition 6.4. Let vr be a sequence of events of the net A^. Sequence vr is said to be 
complete from a to a' if 

^:(Ic(iV),a)— * (Tc(iV),cT'). 
Write N -.a ^a' if there exists a complete sequence from a to a' in N . 

Using this definition, we can define a notion of complete trace equivalence ~ as: 

iVi~A^2 iff {^a,cj')Ni:a\^a' ^ N2:a\^a'. 

We wish to constrain Ni and N2 appropriately so that if A^i ~ then il'[A'^i] — K[N2]. 

Example 6.5. Write, in the obvious way, — for the action term that will be interpreted as 
forming the hole of a context. Define 

dof 



K 

N2 

We clearly have Ni ^ 
but 



]' / [^] ). diverge + 



.skip]] 



dof 



dof 



Mm := [£'] + 11 



Mm :=[£'];[£] :=[£] + 1}. 
N2, but A"[A^i] 9^ K[N2] since 

K[Ni] :{i ^0,i' ^ 1} U£ ^ 2,/ ^ 1} 



K[N2] -.i 



0, 



^2,e' ^ 1}. 



Return to the general case for a substitution K[N]. Intuitively, if the substituend N 
were an atomic event, it would start running only if the conditions P\ were marked and Pt 
were not. There are two distinct ways in which the context K can affect the execution of N. 
Firstly, it might affect the marking of conditions in P\ or Pt whilst is running. Secondly, 
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it might change the marking of state conditions in a way that affects the execution of N. 
An instance of the latter form of interference is seen in the preceding example. We now 
define a form of constrained substitution, guided by Theorem 15.41 so that N is not subject 
to these forms of interference. 

Say that a control condition c of X[A^] is internal to if c = 2 : C2 where C2 is a pre- 
or a postcondition of an event of N that is not in Ic(A) or Tc(A). Given a marking M of 
^[A], say that A is active if P\ C M or there exists an internal condition of A in M. 

Definition 6.6. For a given marking of state conditions a, we say that il'[A] is a non- 
interfering substitution if, for all markings M reachable from (Ic(i^'[A^]), cj): 

(1) if Pi C M then Pt n M = 0, and 

(2) if A is active in M then no enabled event of K has a pre- or postcondition in P] or 
Pt, and 

(3) if M — » Ml — » M' , one of ei and 62 is from A and the other is from K and A is 
active in M and Mi, then ei and 62 are independent. 

Theorem 6.7. // Ai ~ A2 and K[Ni] and [A2] are non-interfering substitutions from 
state a, then, for any a' : 

K[Ni]:a]^a' iff K[N2]:ai^a'. 

Proof. Appendix |Al Theorem IA.12[ □ 

The refinement operation defined in this section allows us to change the granularity 
of heap actions by substituting the occurrence of an action in the original net with a net 
representing the actual implementation of the action, but only once it has been shown that 
the noninterference property holds for both the original net and for the net formed. The 
operation might be a key to proving Reynolds' observation that an occurrence of an action 
a in the term t can be replaced by a term with the same overall behaviour as a without 
affecting the validity of the judgement T h {93} t 

7. Related work and conclusions 

The first component of this work provides an inductive definition of the semantics as a 
net of programs operating in a (shared) state. This is a relatively novel technique, but has 
in the past been applied to give the semantics of a language for investigating security pro- 
tocols, SPL [CWOlj . though our language involves a richer collection of constructs. Other 
independence models for terms include the Box calculus |BDH92j and the event structure 
and net semantics of CCS [StuSOl IWin82l IWN95j f |Stu80j was, to our knowledge, the first 
Petri net denotational semantics of CCS), though these model interaction as synchronized 
communication rather than occurring through shared state. We hope that the novel Petri 
net semantics presented here and in [CW01| can be the start of systematic and comprehen- 
sive methods to attribute structural Petri net semantics to a full variety of programming 
languages, resulting in a Petri net companion to Plotkin's structural operational semantics 
(SOS) based on transition systems |Plo81j . Paralleling the (inductive) definitions of data 
and transitions of SOS would be (inductive) definitions of conditions and events of Petri 
nets. 

The proof of soundness of separation logic here is led by Brookes' earlier work [BroOTj . 
There are a few minor differences in the syntax of processes, including that we allow the 
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dynamic binding of resource variables. Another minor difference between the programming 
language and logic considered here and that introduced by O'Hearn and proved sound by 
Brookes is that we do not distinguish stack variables. These may be seen as locations to 
which other locations may not point and are the only locations that terms can directly 
address. In Brookes' model, as in |O'H07j . interference of parallel processes through stack 
variables is constrained by the use of a side condition on the rule rather than using the con- 
cept of ownership (the area of current research on 'permissions' |BCOP05| IBCY051 IBroOGj 
promises a uniform approach). In particular, the rule allows the concurrent reading of stack 
locations. Though we have chosen not to include stack variables in our model in order 
to highlight the concept of ownership, our model and proofs could be easily extended to 
deal with them. Concurrent reading of memory would be at the cost of a more sophisti- 
cated notion of independence that allowed independent events to access the same condition 
providing that neither affects the marking of that condition. 

More notably, at the core of Brookes' work is a 'local enabling relation', which gives 
the semantics of programs over a restricted set of 'owned' locations. Our notion of validity 
involves maintaining a record of ownership and using this to constrain the occurrence of 
events in the interference net augmented to the process. This allows the intuition of own- 
ership in O'Hearn's introduction of concurrent separation logic |O'H07] to be seen directly 
as constraining interference. Though the relationship between our model and Brookes' is 
fairly obvious, we believe that our approach leads to a clearer parallel decomposition lemma, 
upon which the proof of soundness of the logic critically stands. 

The most significant difference between our work and Brookes' is that the net model 
captures, as a primitive property, the independence of parallel processes enforced by the 
logic. We have used this property to define a straightforward, yet general, form of refinement 
suited to changing the atomicity of commands within the semantics of a term. This is in 
contrast to |Bro05j , which gives a new semantics to race- free processes that abstracts entirely 
away from attaching any form of atomicity to the semantics of heap actions. As said at the 
end of the previous section, we hope to show that the refinement operation can be applied 
to change the atomicity of any action occurring within any process running from a suitable 
initial state proved using to the rules of concurrent separation logic. 

Our characterization of 'separation' arising from the logic is much finer than that ob- 
tained from the existing proof of race freedom, for example showing that interaction between 
parallel processes may occur through allocation and deallocation. This is significant, as such 
interaction leads to examples of the incompleteness of concurrent separation logic. 

There are a number of other areas for further research in addition to those mentioned 
above. One interesting consideration is the necessity (or otherwise) of precision in the proof 
of soundness of the logic. In forthcoming work, we hope to give a form of game semantics 
for the logic and a soundness proof without precision in the absence of the Hoare's Law of 
Conjunction (L-Conjunction). Another area of interest is whether symmetry present in 
our semantics for allocation and resource declaration might be exploited properly to obtain 
more compact nets to represent processes. 
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Appendix A. Refinement 

A sequence of events vr = (ei, . . . ,e„,) considered from a marking M can be thought 

of equivalently as a sequence M — » Mi . . . — » M„ . To describe the structure of such 
sequences, we shall say that vr from marking M is of form Hi • 112 if there exist vri and tt2 
such that vr = vTi • 7r2, where • denotes the obvious concatenation of sequences, and tti is of 
form Hi from marking M and tt2 is of form 112 from the marking obtained by following vri 
from M. Sequence vr is of form H* if it is the concatenation of a finite number of sequences, 
each of form IT. 

Throughout this section, when we consider the substitution i^[A^] let P\ and Pt be 
defined as in Definition 16. 2t 

p. !:•[-] X 2:Ic(iV) 

!:[-]• X 2:Tc(7V). 

Any reachable marking of conditions of the net can be partitioned into two sets: conditions 
that occur solely within K and conditions that are either A^-internal or in P\ or Pf Formally, 
a condition c is a K-condition if c = 1 : ci for some condition ci of K not in *[—]*. A 
condition c is an N -condition if either c € Pi U Pt or c = 2 : C2 for some condition C2 of 
not in Ic(A^) U Tc(A^). Recall that we call 2 : C2 an A^-internal condition. It is easy to 
see that, for any (Tq, from the marking {lc{K[N]), do) only K- or A^-control conditions may 
be marked: If (C, a) is a reachable marking of i^[A^], we have C = U Ck for some 
marking Cat of A^-conditions and some marking Ck of iC-conditions. We shall frequently 
use the notation {Cn,Ck) for a marking of control conditions, where Cn comprises only 
A^-conditions and Ck comprises only i^-conditions. 

Henceforth, when considering a substitution -ftr[A^], we shall refer to an event e as being 
an A^-event if it is equal to {P\ U Pt) l> 2 : 62 for some 62 in A^. Otherwise, it is a i^'-event. 
A little care is necessary since an event in the net iC[A^] might arise from both K and A^ 
if there are events e and e' 7^ [— ] of A^ and K, respectively, with the same effect on state 
conditions and: 

°e = Ic(A^), e° = Tc{N) 

-e' = •[-], e'° = [-]•• 
Throughout the remainder of this section, for simplicity we shall require that the substi- 
tution i^[A^] has no such events. This restriction may be lifted with little effect on the 
development so-far by allowing the net formed to be non-extensional, or by considering this 
as a special case when demonstrating properties of the net if[A'^] 

Lemma A.l. In K[N], no K event has as a either a pre- or a postcondition an N -internal 
condition. 

Proof. Immediate from the definition of substitution A'[A^]. □ 

Recall that a marking {CN,CK,cr) reachable from (Ic(-ftr[A^]), do) is A^-active if either 
there is an A^-internal condition in Cn or if Cn = P\. It is useful to further classify the 
markings of conditions in Cn according to whether they support the occurrence of A^- or 
AT-events on the conditions Pi and Pt: 

Definition A. 2. A marking [Cn^CkjCt) of K[N] is an A^-marking if for all a, a' G '[— ], 
x,x' G [-]', i G Ic(A^) and t G Tc{N): 

• if (1 : a, 2 : i) G then (1 : a', 2 : i) G Cn, and 
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• if (1 : X, 2 : t) G Ctv then (1 : x', 2 : t) € Cn- 

A marking (CatUCxjCj) of A'[A^] is a i^-marking if there is no A^-internal condition marked, 
and furthermore, for ah a G *[-], x G [-]*, G Ic(iV) and t,t' G Tc(7V): 

• if (1 : a, 2 : i) G Cjy then (1 : a, 2 : i') G Cn, and 

• if (1 : X, 2 : t) G Ctv then (1 : x, 2 : t') e Cn- 

From a marking of control conditions {Cn,Ck), we can extract markings of control 
conditions for the nets N and K. We define pn{Cn) to be the marking of N obtained from 
{Cn,Ck), which is not dependent on the marking Ck of A'-conditions, and pk{Cn -.Ck) 
for the marking of K obtained from (Cn,Ck), which is dependent on the marking of A^- 
conditions (namely, the marking of A-conditions in P\ U Pt)- 

For a marking C of the context K, we define 6k(C) to be the corresponding marking of 
A[A]. For a marking C' of the net A, we define 9n{C') to be the marking of A-conditions 
in the net i^[A] corresponding to C . 

Definition A. 3. Let i^[A] be any substitution. For any marking Cn of A-conditions and 
Ck of i^T-conditions, define 

{ aG'H I G Ic(A).(l:a,2:i) G Cjv } 

Pk{Cn,Ck) = U{ xgH* I VtGTc(A).(l:x,2:t) gCjv } 

U{ C^'HUH* I 1:cGCk } 

{ iGlc(A^) I Va G •H-(l:a>2:i) G Cjv } 

Pn{Cn) = U{ tGTc(A^) I Vx G H'-(l:2;,2:t) G Ctv } 

U{ c ^ Ic(A) U Tc(A) \2:c^Cn }■ 

For any marking C of control conditions of the net K and marking C' of control conditions 
of the net A, define 

OxiC) = P<1:C 
ONiC) = P>2:C. 

For an event e of -fC[A], define /OAr(e) = e' for the unique e' such that e = {P\U Pt) o 2 : e'. 
For an event e of A, define ON{e) = {P, U Pt) >2: e. Define pxie) and 9k{^) similarly, apart 
from having ]) undefined. 

Lemma A. 4. For any marking C of control conditions of K, the marking 9k{C) is a K- 
marking in K[N]. For any marking C' of control conditions of N, the marking 9n{C') is 
an N -marking in K[N]. 

Proof. Immediate from the definitions. □ 

It is clear that pN and 9n form a bijection between A-events and Ev(A^). It is also 
clear that px and 9k form a bijection between A'-events and Ev(A') \ {[—]}. On markings, 
the situation is a little more intricate: 

Lemma A. 5. Let A[A] he a substitution. For any marking of control conditions Ck U Cn 
o/A'[A] that is a K -marking and any marking C of control conditions of K: 

9k{pk{CkUCn)) = CkUCn and pk{9k{C)) = C. 

For any marking of control conditions Ck U Cn of A'[A] that is an N -marking and any 
marking C of control conditions of N : 

9n{pn{Cn)) = Cn and pn{9n{C)) = C. 
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Proof. First, let C be any marking of control conditions of K. We shall show that pk{6k{C)) - 
C. Let c be any control condition of the net K. Since K is an embedded net, by the re- 
strictions imposed in Lemma 13.111 there are three distinct cases: c *[—]*> c € *[— ] or 
c G [— ]*• The first case is straightforward since the operation of Ok on such conditions is 
to add a '1 :'-tag which is removed by pK- Now consider c € *[— ]; the case for c G [— ]* will 
be similar. By the definition of Ok, since Ic(A^) is nonempty (again by Lemma l3.1ip : 

cGC iff Vi G Ic(iV).(l:c,2:i) G 0i^(C). 

From the definition of pK-, we have Mi G Ic(iV).(l : c, 2 : i) G Ok{C) iff c G pk{Ok{C)). So 
ceC -lEce pk{Ok{C)). 

Now suppose that {Ck,Cn) is a i^-marking of the substitution K[N]. Let c be any 
condition of the net iir[A^]. There are three distinct possible cases: c0i^Ui-t>cG-fior 
c G Pf First, suppose that c ^ P\\J Pt. 

c £ C]y U Ck iff c G Ck (def. of i^-marking) 

iff 3ci.(ci G Pk{Cn-, Ck) and c = 1 : ci) (def. of pk) 

iff ceOK{pK{CNy^CK)) (def. of^if) 

Now suppose that c G Pi, so c = (1 : a, 2 : i) for some a G *[— ] and i G Ic(iV): 

cGCjvUC^ iff Vi' G Ic(iV). (l:a,2i') G CtvUC^ (def. of K-marking) 
iff a G pk{Cn U Ck) (def. of pk) 

iff cgOk{pk{Cn^Ck)) (def. of^i^) 

We have a similar analysis if c G Pt- Hence {Ck, Cn) = Ok{pk{Ck, Cn))- 

For any marking of control conditions C of the net and any A^-marking (Ck, Cn), 

eNiPNiCN)) = Cn and p^{On{C)) = C 

are shown similarly, this time with the first analysis considering conditions in Ic(A^), Tc(A^) 
and conditions not in either set. □ 

Lemma A. 6. Let [Ck,Cn,<^) an-d {C'^,C'^,a') he markings of K[N]. Suppose that e is 

g 

an event such that {Ck,Cn,o') — » {C'j^,C'^,a'). 

(1) If e is a K -event and {Ck,Cn) and {C'^,C'^) are K-markings then 

Pk (e) 

{pK{CK,CN),a) — {pK{C'K,C'j,),a') inK. 

(2) If e is an N-event and (Ck, Cn) and (C'j^, C'j^) are N -markings then Ck = C'j^ and 

Pn (e) 

{pn{Cn),(t) {pn{C'^),(j') in N. 

Proof. First consider (1). The event e is a i^T-event, so there is an event ei of K such that 
ei / [-] and e = (Pi U Pt) <i 1 : ei. We have 

{Cn, Ck,o-) — » {C'n, C'k, a') 

in K[N]. By Lemma [A?5| we have Ok{pk{Cn,Ck)) = {Cn,Ck) and Ok{pk{C'j^,C'^)) = 
{C'j^, C'^). From the definition of Ok, we therefore have 

((Pi U Pt) ^ 1 : pk{Cn, Ck), a) ("''^^^^ ((j^ y Pt) < 1 : pk{C'n, C'k), a'). 
Using Lemma 13.61 we may therefore conclude that 

{PK{CN,CK),Cr) — » {pk{C'n,C'k),(t') 
in K. The proof of (2) is similar. □ 
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Lemma A. 7. (1) Let C and C he markings of control conditions of K. If {C,a) — » 

{C',a') inK then {eK{C),a) (0a'(C'), fx') in K[N]. 
(2) Now let C and C be markings of control conditions of N. If (C, cr) — » {C',cr') 

fjv{e) 

in N then {9N{C),CK,cr) — » {dN{C'),CK,cr') in K[N] for any marking Ck of 
K-conditions. 

g 

Proof. First consider (1). Suppose that (C, cr) — » (C",cr') in K for some event e ^ [—]. By 
Lemma 13.61 we have 

(PiUPt)<ll:e , , 

{{P,\jP,)<l:C,a) — ((PiUPt)^l:C',c7') 
in i^[A^]. Since 6k{C) = {P\\J Px) <1:C , and similarly for C and e, we therefore have 

{eK{C),a)'!^^ {eK{C'),a'), 
as required. The proof of (2) is similar. □ 

We are now able to characterize the runs of the net K[N] when a non- interfering 
substitution is formed. 

Lemma A. 8. Let K[N] he a non-interfering substitution from ctq. Any complete sequence 
vr from {l.c{K[N\), uq) is of the form Ho • (Hi • Ho)*, where: 

• Ho ranges over sequences consisting of K- events between K -markings. 

• Hi ranges over nonempty sequences tti of any events between N -markings, where 
no K-event uses any condition in P\ or Pf If {Cn U CkjCt) and {C'j^ U C'j^,a') are 
the initial and final markings of vri , respectively, then Cn = P\ cmd C'jq = Pt . The 
first event of iri is an N -event and the final event of vri is also an N -event. 

Proof. We first show that any sequence vr in from (lc{K[N]),aQ) is of the form Ho • (Hi • 
Ho)* or Ho • (Hi • Ho)* -H'l by induction on the length of sequence, where a sequence is of 
form n'^ if: 

• it is a sequence of K- and A^-events between A^-markings where no ii'-event uses 
any condition in P\ or Pt, and 

• if (Cjv, Ck, cr) is the initial marking of vri then Cjy = P\, and the first event of vri is 
an A'^-event. 

We shall simultaneously show that if tt :{lc{K[N]),ao) — »* {Cn^Ck^ct) and {Cn^Ck^cf) 
is an A^-marking then either it is A^-active or Cat = Pt. Furthermore, if Pt C Cn then 
Pt = Cn- 

The base case for the induction is straightforward. Suppose that vr :(Ic(i^[A^]), do) — » 

M where M = {Cn,Ck,cf) and that e is an event such that M M' . Let M' = 
{C'j^,Cj^,a'). We shall show that vr • e from marking {lc{K[N]),ao) is of the correct form 
and that M' satisfies the required properties. 

Suppose that M' is an A^-marking but ^ Pt and M' is not A^-active. As M' is not 
A^-active, we must have / P\. From the induction hypothesis, there must exist a path 
vr' and markings C'^ and a" such that 

n':{P^,C'^,a")-^* {C'^,C'K,a') 

and {P\,C'^,a") is reachable from {lc{K[N]),ao). Furthermore, from {P\,C'l^,a") the path 
vr' is between A/^-active markings. Since ^[A^] is a non- interfering substitution from state 
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(To, it follows from the requirement that consecutive K- and A^-events must be independent 
that there must exist paths tti and 7r2 made exclusively of N- and K -events, respectively, 
such that TTi • 7r2:{P\,C'J^,a") — » (C^,C^,cj"). Since A^-events do not affect the mark- 
ing of /('-conditions and from the requirement that X-events do not affect the marking of 
A^-conditions along the path 7r2 because ir[A^] is a non-interfering substitution from ao, 
there exists a state ai such that Tri:{P\, C^, a") — »* (C^, C^, di). Since Pn{P\) = Ic(iV), a 
simple induction on the length of this sequence using Lemma IA.6I shows that the marking 
{p]\i{C'jy), cJi) is reachable from (Ic(A^), a") in A^. Consider the ways in which the A^-marking 
lc'j^,Cj^,a') may fail to be A^-active: Firstly, if C P,, it follows that pNiC'j^) £ Ic(A^). 
Since {pNiC'j^),ai) is reachable from (Ic(A^), cj'), this contradicts the requirement of Defini- 
tion [3?T3l The proof is similar in the other cases, C and Pt C C^, which may cause 
the marking to fail to be A^-active without = Pt. 

To complete the proof, it suffices to show the following properties: 

(1) i^'-events preserve X-mar kings: If M is a i^T-marking and e is a ii'-event and Ad — » 
M' then M' is a E'-marking. 

(2) A^-events preserve A^-markings: If M is an A^-marking and e is an A^-event and 

e 

M — » M then M is an A''-marking. 

(3) If e is a X-event with no pre- or postcondition inside -fi U-Pt and M is an A^-marking 

e 

and M — » M then M is an A^-marking. 

(4) The only markings that are both A^- and i('-mar kings are of the form {P\, Ck, c) or 
(Pt, Ck, c) or {P\ U Pt, Ck, a) for some Ck and a. 

(5) No A^-event has concession in any reachable marking that is not A^-active. 

Properties (1) and (2) are straightforward calculations using Lemmas IA.41 IA.5I and IA.6I 
Property (3) follows immediately from Lemma [A. 1[ Property (4) is obvious from the defini- 
tions of A^- and X-markings. Property (5) is straightforward from the induction hypotheses 
and the fact that no event has concession in the terminal marking of A^ according to the 
requirements of Lemma 13.111 

Finally, to see that any complete run is of the form IIq • (Hi • IIq)*, observe that the 
terminal marking of control conditions Tc(i^[A^]) is a iC-marking. There are no Ck and a 
such that the marking {P\,Ck,o') is terminal since then *[— ] n Tc(/^) ^ 0, contradicting 
the requirement that K should be an embedded net satisfying the requirements of Lemma 
13. Ill Hence the terminal marking is not A^-active. □ 

Having now dealt with the control structure of contexts, we return to the idea that, 
given a net i^[A'^i] which is a non- interfering substitution from state a, the events in any 
sequence may be reordered in a way that ensures that events of A'^i occur consecutively and 
form a "complete run" of the net A^i. As A^i ~ A''2, the net A'[A^2] will therefore have a 
path between the same sets of state conditions. 

To formalize this, let vr be any sequential run of a non- interfering substitution K[N] from 
marking M. The set 'Pi^[Ar](7r, M) is defined to be the least set of sequences from marking 
M of i^[A^] closed under the operation of swapping consecutive independent events that 
contains the sequence vr. It is easy to see that if vr : M — »* M' and vr' G Vk[n]{'^j then 
vr' : M — »* AI' for any paths vr and vr'. Define the order -< on T'k[N]{'^i M) as follows: 

Definition A. 9. Let vr, vr' G 'Pk[n]{'^o, M). Define -< to be the transitive closure of ^i, 
where vr vr' iff there exist sequences vri and vr2, an A^-event e and a -fC-event e' such that 
ele' and vr = vri • e • e' • vr2 and vr' = vri • e' • e • vr2. 
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It is clear that the order ~< is weU-founded since any path is, by definition, of finite 
length. 

Definition A. 10. Say that a sequence vr of i^[A^] from marking Af is N -complete if M = 
(-Fi, Cki f) for some Ck and cr, every event of vr is an A^-event, and 

Lemma A. 11. Let K[N] he a non-interfering substitution from state ctq and let Mq = 
(lc{K[N]) , gq) . Suppose that ttq is a complete sequence of K[N] from Mq. The -<-minimal 
elements of Vx[n]{'^o-,Mq) are of the form 

Ho • (n^ • no)*, 

where IIjv matches N -complete paths and Hq is as in Lemma \A.8[ 

Proof. Suppose that vr is a -<-minimal element of 'Pk[n]{'^Oi ^o) but not of the form above. 
The sequence vr is of the form of Lemma IA.8I because vr is a complete path of i^[A^]. 
Consequently, there are tti, 7r2 and vrs such that vr = tti • 7r2 • tts and 7r2 = (e • e') where e is 
a i^T-event and e' is an A^-event. Furthermore, the marking Mi such that vri : Mq — »* Mi 
is A'"-active. Now, from the definition of non-interfering substitution, the events e and e' 
are independent. Hence the sequence vri • e' • e • vrs is in Vx^f^jlTTQ, Mq) and is beneath vr, 
contradicting its minimality. □ 

This gives us the ability to prove Theorem 16.71 bv induction on paths of i^[A^i]. 

Theorem A. 12. If K[Ni] and K[N2] are non-interfering substitutions from o"o and Ni 2^ 
then, for all states a: 

K[Ni]:aoij,a iff K[N2]:aoij^c7. 

Proof. Suppose that vr is a complete sequence of K[Ni] from ctq to a'. We shall show 
that, for all tti G 'P/^jtvi] (tt, (Ic(iC[iVi]), ctq))) if tti is a complete sequence from ctq to a' 
then there exists a complete sequence 7r2 of -R'[A'^2] from ctq to a'. The proof shall proceed 
by induction on the well-founded order ^. In particular vr € 'Pk[Ni]{'^j O-^iKlN]), gq)), so, 
with the symmetric proof for the other direction, this will complete the proof of the required 
property. 

(vri minimal) The sequence tti is minimal within 'P/<[Arj](vr, ctq), so, by Lemma [A. IH there 
exists an n G N such that there exist sequences ttq, vroi, vrn, . . . vron, vri„ with 

vri = TTo • vrii • vroi . . . 7ri„ • 7ro„. 

Furthermore, for each i < n, the sequence Troi is of the form IIq defined in Lemma lA.81 
as is the sequence vro; and, for each i < n, the sequence ttu is of the form IIat^, which 
matches A^i-complete subpaths of ^^[iVi] as defined in Definition lA. 101 Define: 

p{i) dot !..[_] X 2:Ic(Ai) P^^^ = !:•[-] X 2 :Ic(A2) 

pa) drf ^ . ^ 2 . Tc(Ai) P/^^ = 1 : [-]• X 2 : Tc(A2). 

Let /9^^ be pK from Definition I A. 3 1 for A'[A^i] and let p^^^ be px from Definition IA.3I 
for K[N2], and similarly for p^^, pj^^, 0^^\ etc. We shall show, by induction on n, 
that if vri is a sequence of this form in i^[Ai] from (Ic(A'[Ai]), ctq) to the marking 
(C(,cr') then there exists a path 7r2 from (Lc{K[N2]),(Jo) to {C2,(j') for some C2 such 

thatp«(C()=pg)(C7^). 
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• n = 0: Assume that vri is of the form Hq. Let vri = (ei • . . . • em) and suppose that 
in -fr[A'^i] we have 

{lciK[Ni]),ao) ^ (Ci, di) ^ . . . ^ {Cm, (Tm). 

By assumption, tti is a path from (Ic(i^[A^i]), ctq) to {C[,a'), so C( = Cm and 
o"' = o".m. Now, lc{K[Ni]) is a A'-marking, and, since vri is of the form Hq, for 
every i such that < i < m, the marking Ci is a i^T-marking and ej is a A'-event. 
By Lemma lA.61 in the net K we have 

(1)^ ^ {!)/ \ (1)^ \ 

{p^;,\lc{Km)),a) "-^ {pi\c,),a,) ^ 

In the net Ar[A'^2]) by Lemma lA.71 we therefore have 



''x Pk i*^"*) 



Let = {Cm)- From Lemma IA.41 generates AT-markings of A'[A''2] 

from markings of K. By Lemma IA.51 we therefore have p^"^ {C'2) = P^k ^^i) 
since C( = Cm,, which is a AT-marking. It is an easy calculation to show that 

p^}^ {lc{K[Ni])) = lc{K) and {lc{K)) = Ic(K[A^2]). There therefore exists a 
path from {lc{K[N2]) , a^) to (C7^,cJ„) in K[N2] and p''^ {C'^) = P^^k {C[) , which is 
all that is required since Um = c'. 

n > 0: Assume that tti = tth • 7ri2 • vris for some sequence tth of form IIq • (IIat-^ • 
Ilo)""^, some sequence 7ri2 of form IItvi and some sequence ttis of form Hq. Let 
(C(,cr') be the marking obtained by following vri from (Ic(A[A'^i]), ctq) in ^[A^i]. 
We wish to show that there is a path vr2 of A[A'^2] from (Ic(A[A'^2])5 ^o) to (C2, o"') 
for some C'^ such that p''^ {C[) = /oS^^(C^). 

Let (Cii,cJi) be the marking obtained by following path vrn from (Ic(K[A^i]), (Tq). 
Since vri2 follows vrn and vri2 is of form IItvi, it must be the case that Cn = 
{p!^^\Ck) for some marking Ck of A-conditions. 

By induction, there is a path vr2i in K[N'2\ from (Ic(A'[A''2]), o-q) to (C2i,o-i) for 
some C21 such that pi^^(Cii) = pi?(C2i). Now, Cn = (P/'^C^), so p^k\Cii) = 
•[— ] U {c I l:c E Ck}' From the definition of , we must therefore have 
C21 = (p/'\Ca'). Hence 

vrai :(Ic(A[Ar2]), ^o) — * {P^''\Ck, ai). 
Suppose that in Ar[A''i] we have vri2 Cx, o"i) — »* (C^^ , C^, cr2). Since vri2 

is of the form IItvi, it is an A'^i-complete path, so = p/^\ The events of vri2 
are all A^-events. Using Lemma IA.61 a simple induction shows that Ck = 
and that there is a path from (p^j (-Pj^^"*), ci) to {p^}^^{Pt^^),(y2) in Ai. Observe 

that p^SriPi^^) = HNi) and pSJCP/'^) = Tc(Ai), so Ai 1(71^^2. As Ai ~ A2, 
there is therefore a path of A2 from (Ic(A2),o"i) to (Tc(A2), (T2). By Lemma 
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a simple induction on the length of this sequence shows that there is a sequence 
7r22 from {9P^{1c{N2)),Ck,<Ji) to {d'^^l{Tc{N2)),CK,a2) in K[N2]. Observe that 
<)(Ic(iV2)) = P/'^ and <)(Tc(iV2)) = , so 

As TTis follows path 7ri2 in tti, the sequence vria is from {P^^\CK,cr2) to (C[,(t') 
and contains only iC-events. Using Lemma |A.6| a simple induction on the length 
of 7ri3 shows that there is a path from C/^), CJ2) to (/5^'*(C{), cr') in K. 

A simple induction on the length of this path, using Lemma [A.7I shows that there 
is a path 7123 of K[N2] such that 7r23 Cj^), ^2) — * (O^k^ P^k\C[),ct'). 

From the definition of we have (-Pt^^\ Ck) = [— ]* U {c | 1 : c G Ca'}- From 
the definition of 9^ , we have 9P{[-]*U{c \ 1 : c € Cj^}) = P/^^ U Ci^. Hence 

Take C'2 = {9^^^ p^k\c[), a'). By Lemma [Ml we have p^^^^^) = pi\c[). Con- 
sequently, the path 112 = 1^21 ■ t^22 ■ ^^23 satisfies 

7r2:(Ic(i^[iV2]),fTo)— * {C'2,a'), 

for some C'2 such that pk{C'i) = pk{C2), which is all that is required to complete 
this inner induction. 
Now, recall that vri is a complete sequence of K[Ni], so 

^1 :(Ic(if[7Vi]), do) — * (Tc(if[iVi]), a'). 
From the immediately preceding induction, there exists a path tt2 of -fi'[A'^2] such that 
7r2:(Ic(/s:[Ar2]),t^o) {C^,(^') for some such that /o^J^ (Tc(J^[iVi])) = pi?^(C^). 

Now, clearly p^^(Tc(i^[A'^i])) = Tc{K) by the definitions of p and A'[A'^i]. Hence 
Tc(if) = p^^{C'2), so by Lemma ES] we have 9^^\Tc{K)) = C^. The definition of 
K[N2] and gives 9^^\Tc{K)) = Tc(K[iV2]). Hence 

^2 :(Ic(i^[iV2]), 00) — * (Tc(J^[iV2]), a'), 

as required. 

(vTi NOT minimal) Suppose that the path vri is not minimal and that tti is a complete 
path of K[Ni] with vri ■■{lc{K[Ni]),aQ) — ^* (Tc(A'[Afi]), cj'). It is easy to see that the 
order ■< is irrefiexive, so there exists a path vr^ such that vr^ ^1 tti. Hence there exist 
paths TT2 and tt^ and a ii'-event e and an A^-event e' such that tti = 7r2 ■ e • e' • tts and 
vr^ = 7r2 • e' • e • vra. Furthermore, the events e and e' are independent, so vr^ must also 
be a path vr^ :(Ic(K[A''i]), ctq) — ^* (Tc(i^[A^i]), a'). By induction, there exists a path 
TTg :(Ic(-fC[A^i]), do) — » (Tc(-fC[A^i]), o"'), as required to complete the case. 
Hence, if K[A^i] : ctq ^ a', there exists a path vr :(Ic(A:[Ari]), do) (Tc(A"[Afi]), a') \nK[Ni]. 
Since vr G Px[7Vi](^, f^o), we have a path 7r2 :(Ic(A:[A^2]), <to) (Tc(K[Af2]), cj') in ^[^-2], 
so Ar[A^2] '■ ctq JJ-0"'. The proof for the reverse implication is symmetric. □ 
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